Hello!
I've been fighting for a week, but the ideas have ended. When you delete files, Windows generates 2 Events 4663 then 4660. In EventID:4663 there is a file name, in EventID:4660 there is a result. The Marker can use the EventRecordID, which will differ by 1 for these two events. The idea with the help pm_evcorr add in EventID:4663 field from EventID:4660. As far as I understood, the design should be this:

1. EventID:4663 arrives
2. If EventID:4660 arrives within 2 seconds and in it EventRecordID greater by 1, then
3. We drop the ObjectName from the event 4663 into event 4660.
   User guides tell us that the design should be of the form

  <Pair>
    # If TriggerCondition is true, wait Interval seconds for
    # RequiredCondition to be true and then do the Exec. If Interval is
    # 0, there is no window on matching.
    TriggerCondition    $Message =~ /^pair-first/
    RequiredCondition   $Message =~ /^pair-second/
    Interval            30
    Exec                $raw_event = "got pair";
    </Pair>

And

Exec $new_field = 'new field value';

But the problem is that it's absolutely certain that something (or rather everything) is not doing so

<Pair>
    # If TriggerCondition is true, wait Interval seconds for
    # RequiredCondition to be true and then do the Exec. If Interval is
    # 0, there is no window on matching.
    TriggerCondition    $EventID =4663
    RequiredCondition   $EventID =4660 and $EventRecordID = get_prev_event_data("EventRecordID" + 1);  - Here the main problem
    Interval            2
    Exec $FileName = get_prev_event_data("ObjectName");
    </Pair>

I will be very grateful for the help, the hint what to read or examples.