that is getting closer... at least I get data now... I'm just getting too many codes that don't fit between those numbers 4868-4900.

anything like:
1....538...540....56x,...57x..... 46xx......47xx......48xx.....49xxxx.... 50xx.....51xx.....61xx.....62xx.....82xx

tried many variations of something like:

sourcetype=WinEventLog:Security host=* | rex field=EventCode "(?P((48(6[8-9])|[7-9][0-9])|4900))"

if I dump: (48(6[8-9])|[7-9][0-9])|4900 into an online regex tester...it gives me the right range 4868-4900... I'm not sure where I'm causing splunk grief in the syntax 🙂