Sorry, it actually started working, not sure why but after about 15 minutes the same exact text returned results. I used the following successfully: | where NOT match(username,"\d+$") Thanks again. ... View more

An entry in props.conf can also help reduce the amount of data ingested by Windows events without removing meaningful values: [WinEventLog:Security] SEDCMD-remwinstr = s/(?ism)(Token Elevation Type indicates|This event is generated).*$//g ... View more