I know, replying to myself. So far my testing has yielded:
- This works as described in filters and rules
- Equals works great in nDepth but not equals with a field seems to be dysfunctional (differently functional?)
- Using the "User Name" refine field (only exists in nDepth) with != does seem to work. (User Name searches across all account fields, using a field directly just searches that one field... so it's not precisely equal but it's worth a shot)
So, try reconstructing your search with:
File Audit Events.InsertionIP = server1
AND
User Name != user1
AND
User Name != user2
AND
User Name != user3
You might have to run the first search (File Audit Events.InsertionIP=server1) then drag the user name field into the search bar from the refine fields on the left to get it to add.