The correct audit journal code for a deleted object whether it is iSeries or IFS is DO.
To dump the journal information into data base format, IBM has provided a series of PF’s in QSYS library named QASYxxJ4 where ‘xx’ is the audit journal code entry. For the DO entries you would do a CRTDUPOBJ of file QASYDOJ4 into a library. Best if you rename this so as not to cause problems. For this example lets say we call the new file JRNDO.
To dump the journal data do the following adding any other date selections etc:
DSPJRN JRN(QAUDJRN) ENTTYP(DO)
What you end up with is a DB formatted file that shows all delete operations on the system regardless of object type. I believe it excludes any QTEMP object deletes. For an IFS object there is a full path name field that shows the entire file name path.
This can be done for any of the journal codes.
Hope this helps.
As you already discovered, the correct entry type is LD (not) DO). But how did you learn about LD entries without learning the format?
Formats of all security entry types are described in Appendix F of the Security Reference manual for the OS version/release that you’re running. If that doesn’t tell you what you need to know, you either need to hire someone with the knowledge or use your IBM support contract to ask ‘usage’ questions. Beyond that, it’s experiment and experience.