Hello! I've been fighting for a week, but the ideas have ended. When you delete files, Windows generates 2 Events 4663 then 4660. In EventID:4663 there is a file name, in EventID:4660 there is a result. The Marker can use the _EventRecordID_, which will differ by 1 for these two events. The idea with the help pm_evcorr add in EventID:4663 field from EventID:4660. As far as I understood, the design should be this: 1. EventID:4663 arrives 2. If EventID:4660 arrives within 2 seconds and in it _EventRecordID_ greater by 1, then 3. We drop the _ObjectName_ from the event 4663 into event 4660. User guides tell us that the design should be of the form ``` # If TriggerCondition is true, wait Interval seconds for # RequiredCondition to be true and then do the Exec. If Interval is # 0, there is no window on matching. TriggerCondition $Message =~ /^pair-first/ RequiredCondition $Message =~ /^pair-second/ Interval 30 Exec $raw_event = "got pair"; ``` And ``` Exec $new_field = 'new field value'; ``` But the problem is that it's absolutely certain that something (or rather everything) is not doing so ``` # If TriggerCondition is true, wait Interval seconds for # RequiredCondition to be true and then do the Exec. If Interval is # 0, there is no window on matching. TriggerCondition $EventID =4663 RequiredCondition $EventID =4660 and $EventRecordID = get_prev_event_data("EventRecordID" + 1); - Here the main problem Interval 2 Exec $FileName = get_prev_event_data("ObjectName"); ``` I will be very grateful for the help, the hint what to read or examples.

$EventID = 4663 is an assignment. $EventID == 4663 is a boolean condition check. I think you want to use the latter.

This one is also flawed:

$EventRecordID = get_prev_event_data("EventRecordID" + 1);

The following should be correct:

$EventRecordID == get_prev_event_data("EventRecordID") + 1