If you're looking for specific text in an event, don't use a negative lookahead for that text as that will find events without the specified text.  Also, it's not clear if the white space in the event is tabs, spaces, or both so it's better to use \s than \t.    Try these settings. [WinEventLog:Security] disabled = 0 index= win* blacklist1=EventCode="4662" Message=”Accesses:\s+Create\sChild"   ... View more

Hi @somdatta1001, thi isn't a question for Community, it requires a Splunk Architect or a Propfessional Service! also because it's hard to give you an answer without analyzing your worldwide architecture: are the two Splunk instances connected? are they a multisite cluster? do you need an on-line alignment? as you can suppose there are many variables. Ciao. Giuseppe   ... View more