How can i filter in Windows Office Alerts manually (xml xpath)

Question

I need to filter a specific event in the Windows Event Viewer in the Office Alerts. Unfortunately, I have no idea about this. I need to search for "Not enough free workspace..." under Event Data. I only have the following:

<QueryList>
  <Query Id="0" Path="OAlerts">
    <Select Path="OAlerts">*</Select>
  </Query>
</QueryList>

I guess i need something similar to this:

<Select Path="OAlerts">* [EventData[Data[@Name='????']='Not enough free worksapce..']]</Select>

XML View looks like this:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft Office 16 Alerts" /> 
  <EventID Qualifiers="0">300</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2023-01-31T12:33:14.0089624Z" /> 
  <EventRecordID>289</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="0" ThreadID="0" /> 
  <Channel>OAlerts</Channel> 
  <Computer>PCName</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>Microsoft Word</Data> 
  <Data>Not enough free worksapce..</Data> 
  <Data>200054</Data> 
  <Data>16.0.5369.1000</Data> 
  <Data /> 
  <Data /> 
  </EventData>
  </Event>

I hope someone can help me here.

Answer 1

I may have expressed myself incorrectly. I want to find a specific entry with a manual query. I then need to insert this in a subscription. Therefore I need the query.

Here i need to filter for "SearchProtocolHost" or whatever is between <Data> </Data>. What do i need to add in den Query.

For System I had something similar, it looked like this:

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*[System[(EventID=26)]
                and EventData[(Data[@Name = 'Caption'] = 'powershell.exe - Systemfehler')]]</Select>
  </Query>
</QueryList>