From 81863a4b7811f27234c95ef11986538a05da1dff Mon Sep 17 00:00:00 2001
From: Matthew Iverson <matthew@noreply.localhost>
Date: Sat, 11 Jan 2025 23:13:32 -0500
Subject: [PATCH] Update splunk/wevutil.md

---
 splunk/wevutil.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/splunk/wevutil.md b/splunk/wevutil.md
index c7fe744..5a42d2f 100644
--- a/splunk/wevutil.md
+++ b/splunk/wevutil.md
@@ -1 +1,5 @@
-wevutil cl Application
\ No newline at end of file
+```
+wevutil cl Application
+wevtutil qe Security /f:xml > *.xml
+"wevtutil epl" AND  ("Security *.evt*" OR "Application *.evt*")
+```
\ No newline at end of file