Hi,
I have setup 2 items to monitor a specific event in the eventlog.

• item 1 : Windows event ID 4659: A handle to an object was requested with intent to delete.
  To collect Event ID 4659 this item has key: eventlog[Security,,,,^4659$,,skip]
  In the history of this item i can see all the events with Event ID 4659
• item 2 : Windows event ID 4659: A handle to an object was requested with intent to delete. - count
  This item counts the values of item 1 for the last hour. The item type is "Calculated" and is using formula count(/SERVER/eventlog[Security,,,,^4659$,,skip],1h)
  This works fine too...

I want to add 2 exclusions for the counting

• when a string like ~$ exist it should not be counted
• when a string like .tmp exist it should not be counted.

I think i need this regeular expression: ^(?!.*(?:~\$|\.tmp)).*4659.*$
When i change the formula in item 2 to count(/SERVER/eventlog[Security,,,,^(?!.*(?:~\$|\.tmp)).*4659.*$,,skip],1h) - the item gives error: Cannot evaluate function: item "/SERVER/eventlog[Security,,,,^(?!.*(?:~\$|\.tmp)).*4659.*$,,skip]" does not exist at "count(/SERVER/eventlog[Security,,,,^(?!.*(?:~\$|\.tmp)).*4659.*$,,skip],1h)".

An example of theraw output of the Windows event ID 4659:

A handle to an object was requested with intent to delete.

Subject:
Security ID: DOMAIN\user1
Account Name: user1
Account Domain: DOMAIN
Logon ID: 0x6CE3928

Object:
Object Server: Security
Object Type: File
Object Name: D:\~$test.xlsx
Handle ID: 0x0

Process Information:
Process ID: 0x4

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE
ReadAttributes

Access Mask: 0x10080
Privileges Used for Access Check:
​