What you want to look at is using the whitelist and blacklist features within inputs.conf on the universal forwarder to only capture the specific Windows EventCode to meet your needs.
Details on the inputs configuration here: http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata#Use_inputs.conf_to_config...
Splunk blog post with real examples here: http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/
Can I control which part of file for forwarding only success security log of event viewer?
Can I setup on source server with installed universal forwarder or destination server (Splunk server)?
I want to know detail settings.