In my Splunk Enterprise instance, i can't seeing the windows event "1102" from W10 client.
Someone can me help ?
Have you verified that the event is being generated on the W10 client?
Is the Windows 10 in a domain?
Event 1102 is logged whenever the Security log is cleared,
REGARDLESS of the status of the Audit System Events audit policy.