to filter events you have to identify a large information (e.g. sourcetype or host or source), then you have to find a regex to filter logs related to the above information.
You cannot use two of the above infos (e.g. sourcetype+host)
E.g.: sourcetype=WinEventLog:Security and regex = EventCode=1234
REGEX = EventCode\=1234
DEST_KEY = queue
FORMAT = nullQueue