Hi all, I have searched Splunk answers and official documentation for the last three days, but for the life of me can't get the result I'm after. What I want is to collect Logon and Logoff events (be they success or failure) and discard all the rest. I found a few questions on this subject, but none of the solutions worked in my situation. I set up a single Splunk server to collect Security Event logs from circa 200 Windows computers, all joined to a domain, using WMI. I know that best practice tells to use Universal Forwarder, but I'm trying to avoid it for different reasons, the first being the limited resources of our clients and less administrative effort of a per-client installation. The problem is that I can't manage to filter the inputs and index only the desired events, with the results that just a fraction of the clients easily fill the 500MB daily quota limit. This is the configuration I came up so far, implemented in the Splunk server, not working as far as I can tell: ...\Splunk\etc\system\local\\props.conf [WinEventLog:Security] TRANSFORMS-wmi=wminull,wmiparsing ...\Splunk\etc\system\local\\transforms.conf [wminull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [wmiparsing] REGEX = (?m)^EventCode=(538|540|672|673|861) DEST_KEY = queue FORMAT = indexQueue Note: I made a couple of tries also with wmi.conf and inputs.conf, but for what I gather these configuration files are not relevant to my configuration (single server and no forwarders at all). Any help troubleshooting this issue would be very welcome. Happy splunking ... View more