Hello,
I have some events with IpAddress set to '-' and i want to suppress those events using a custom view. I try the following filter:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4625)]]</Select>
<Suppress Path="Security">*[EventData[Data[@Name='IpAddress'] and (Data='-')]]</Suppress>
</Query>
</QueryList>
This supresses all events because I believe this indicates a range that includes everything. Or maybe I'm wrong, however no events shows up in the view.
How can I suppress events with '-' in one of the event data properties?
Thanks a lot,
Boaz.
