The syntax for CREATE SERVER AUDIT is:
[sql]
CREATE SERVER AUDIT audit_name
{
TO { [ FILE (<file_options> [ , ...n ] ) ] | APPLICATION_LOG | SECURITY_LOG }
[ WITH ( <audit_options> [ , ...n ] ) ]
[ WHERE <predicate_expression> ]
}
[/sql]
Where <predicate_expression> is
<predicate_factor>::=
event_field_name { = | < > | ! = | > | > = | < | < = } { number | ' string ' }
[/sql]
And for event_field_name, Books Online says:
Is the name of the event field that identifies the predicate source. Audit fields are described in sys.fn_get_audit_file (Transact-SQL). All fields can be audited except file_name and audit_file_offset.
That is, you should be able to filter out sa with
sessoion_server_principal_name <> 'sa2'
I'm not sure what you see when you see VIEW SERVER STATE, but the same may be possible in this cas.
[font="Times New Roman"]Erland Sommarskog, SQL Server MVP, www.sommarskog.se[/font]