Unfortunately, in both cases doesn't work. I tried also to work with the raw logs on regex101 and I came up with this regex: EventCode=4634+[^$]+Security ID:\s+.*\$ But I still getting logs. ... View more

I tried this conf:   [remove_logoff] REGEX = "(?:EventCode=4634)" INGEST_EVAL = queue=if(match(_raw,"Security\sID:[\s]+.*\$"), "nullQueue", queue)   and also with REGEX = . But in both cases I'm still getting logs.   ... View more

Hi, Thanks for your help. I tried the following configuration in my transforms.conf:   [remove_logoff] INGEST_EVAL = queue=if(match(_raw,"EventCode=4634") AND match(_raw,"Security\sID:[\s]+.*\$"), "nullQueue", queue)   props.conf [WinEventLog] TRANSFORMS-remove_computer_logoff = remove_logoff    But after I run the query, I still get the unwanted logs. I tried to make the query on the search as well to check if the regex were right and everything seems fine. index=* sourcetype=WinEventLog | eval result=if(match(_raw,"EventCode=4634") AND match(_raw,"Security\sID:[\s]+.*\$"), "Filter", "No need to filter this log") | stats count by host, result       Am I missing something?   P.S. I cannot do a blacklist directly on the hosts   ... View more