Hello, I have some events with IpAddress set to '-' and i want to suppress those events using a custom view. I try the following filter: <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4625)]]</Select> <Suppress Path="Security">*[EventData[Data[@Name='IpAddress'] and (Data='-')]]</Suppress> </Query> </QueryList> This supresses all events because I believe this indicates a range that includes everything. Or maybe I'm wrong, however no events shows up in the view. How can I suppress events with '-' in one of the event data properties? Thanks a lot, Boaz.

Hi, Please read this article about broader filtering and multiple statements: Advanced XML filtering in the Windows Event Viewer http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx I think the following sample is worth trying: The following XML example shows how to use a query to select all the events in the System channel, except those that have a Severity equal to Informational (Level equal to 4). <Query id="1" path="System"> <Select>*</Select> <Suppress>*[System/Level=4]</Suppress> </Query> If you have any feedback on our support, please click hereAlex Zhao TechNet Community Support

Thank you Alex. I have a specific problem with filtering out specific value in the event data. I think I understand well the event log filtering query language. I have a specific problem with filtering out events that have the value of '-' an event data property. I want to filter out all events that has the value of '-' in some event data property. When I try to suppress those events using this query: <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4625)]]</Select> <Suppress Path="Security">*[EventData[Data[@Name='IpAddress'] and (Data='-')]]</Suppress> </Query> </QueryList> For some reason all events are filtered out and not only those with the '-' value in it.

Hi, Its a little weird, do you try to filter other type of event? Can you past one event xml view in forum? If you have any feedback on our support, please click hereAlex Zhao TechNet Community Support

Hi, Thank you again, Alex. This is an example of an event that I'm trying to filter out (I replaced sensitive information with "XXXXXX"): <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4625</EventID> <Version>0</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2013-05-12T15:52:27.073599500Z" /> <EventRecordID>3975921</EventRecordID> <Correlation /> <Execution ProcessID="528" ThreadID="29560" /> <Channel>Security</Channel> <Computer>XXXX</Computer> <Security /> </System> - <EventData> <Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">XXXXXX</Data> <Data Name="SubjectDomainName">XXXXXX</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="TargetUserSid">S-1-0-0</Data> <Data Name="TargetUserName">XXXXX</Data> <Data Name="TargetDomainName">XXXXXX</Data> <Data Name="Status">0xc000006d</Data> <Data Name="FailureReason">%%2313</Data> <Data Name="SubStatus">0xc000006a</Data> <Data Name="LogonType">2</Data> <Data Name="LogonProcessName">Advapi</Data> <Data Name="AuthenticationPackageName">Negotiate</Data> <Data Name="WorkstationName">XXXXXX</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x3dc</Data> <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data> <Data Name="IpAddress">-</Data> <Data Name="IpPort">-</Data> </EventData> </Event> What I'm trying to filter out is events that have '-' in the IpAddress event data property. I try to do this with the query described at the beginning of this thread. The query filters out ALL events. That is, no events are shown in the view. You can ty this query yourself. If you ommit the Suppress part of the query you'll see all events with ID 4625 (logon failure). If you add the Suppress part no event will be shown. Even though most of the events do not the value of '-' in their IpAddress but rather a regular IP address. If i replace the '-' with a regular IP address (e.g., '127.0.0.1'), this address will be filtered out from the view, so basically my query works, only not for '-' values. You can try it yourself.

Hi, Thanks for feedback, based on my test, I can filter relative event with the -value, for your current situation, you can try this: <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4625)]]</Select> <Suppress Path="Security">*[EventData[Data[@Name='IpAddress']='-']]</Suppress> </Query> </QueryList> If you have any feedback on our support, please click hereAlex Zhao TechNet Community Support

Great! This is the solution! Thanks a lot!!!

Hi, Glad to help you with this problem. If you have any feedback on our support, please click hereAlex Zhao TechNet Community Support