I am attempting to generate a report showing unauthorized file create,
modify, delete events is a specific folder and sub folders.
I have created a dynamic list with the authorized users in it.

In correlation I created the following:
filter(((e.InitiatorUserName inlist Privileged_Accounting_Users)) AND
((e.TargetDataContainer = "datavol/shares/accounting/*"))). I expect
that this filter would show all activity performed by the users in the

No results are being returned by the filter.
I know there are events because searching using
filter(((e.TargetDataContainer = "datavol/shares/accounting/*"))) shows
many file create, modify and delete events.
Searching using (rv36("DATAVOL/shares/accounting"))) shows many file
create, modify and delete events.

I have confirmed that InitiatorUserName is the correct field.

filter(((not e.InitiatorUserName inlist Privileged_Accounting_Users))
AND ((e.TargetDataContainer = "datavol/shares/accounting/*")))

What am I doing wrong?

If I enter each user into the filter it works.
filter(((e.TargetDataContainer = "datavol/shares/accounting/*")) AND
(((e.InitiatorUserName = "User1")) OR ((e.InitiatorUserName = "User2"))
OR ((e.InitiatorUserName = "User3")) OR ((e.InitiatorUserName =

After I get this working, I want to exclude all files that have a .tmp
extension.... First things first...

Thanks for your help and insight

BTW I am using Sentinel 7.0.3

chuchseos's Profile: https://forums.netiq.com/member.php?userid=4685
View this thread: https://forums.netiq.com/showthread.php?t=47410