diff --git a/splunk/wevutil.md b/splunk/wevutil.md
index c7fe744..5a42d2f 100644
--- a/splunk/wevutil.md
+++ b/splunk/wevutil.md
@@ -1 +1,5 @@
-wevutil cl Application
\ No newline at end of file
+```
+wevutil cl Application
+wevtutil qe Security /f:xml > *.xml
+"wevtutil epl" AND  ("Security *.evt*" OR "Application *.evt*")
+```
\ No newline at end of file