Hello! I've been fighting for a week, but the ideas have ended. When you delete files, Windows generates 2 Events 4663 then 4660. In EventID:4663 there is a file name, in EventID:4660 there is a result. The Marker can use the _EventRecordID_, which will differ by 1 for these two events. The idea with the help pm_evcorr add in EventID:4663 field from EventID:4660. As far as I understood, the design should be this: 1. EventID:4663 arrives 2. If EventID:4660 arrives within 2 seconds and in it _EventRecordID_ greater by 1, then 3. We drop the _ObjectName_ from the event 4663 into event 4660. User guides tell us that the design should be of the form ``` # If TriggerCondition is true, wait Interval seconds for # RequiredCondition to be true and then do the Exec. If Interval is # 0, there is no window on matching. TriggerCondition $Message =~ /^pair-first/ RequiredCondition $Message =~ /^pair-second/ Interval 30 Exec $raw_event = "got pair"; ``` And ``` Exec $new_field = 'new field value'; ``` But the problem is that it's absolutely certain that something (or rather everything) is not doing so ``` # If TriggerCondition is true, wait Interval seconds for # RequiredCondition to be true and then do the Exec. If Interval is # 0, there is no window on matching. TriggerCondition $EventID =4663 RequiredCondition $EventID =4660 and $EventRecordID = get_prev_event_data("EventRecordID" + 1); - Here the main problem Interval 2 Exec $FileName = get_prev_event_data("ObjectName"); ``` I will be very grateful for the help, the hint what to read or examples.