The Splunk App for CEF demonstrates one way of doing this.
Thanks, but I am looking for an alternative to this app.
My current tools are limited to "Searching and Reporting" App and any python scripts I can put on the server.
This maybe sounds strange in the first place; but how about using the route and filter method in props.conf
like written in the docs http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad#Replicate_a_subset_...
Use as regex something like this REGEX = .+EventCode=4624.+Logon_Type=2
and set it on the sourcetype [WinEventLog:Security]
I didn't even know you could do that, it's possible that it could work, my fields are using the Windows app for splunk so I'm not sure if I'd be able to use that regex. Thanks for the tip.