WinEvents Filtering on Heavy Forwarder (drop the end of event)

Hello guys I'm tring to drop the end of all Security events: This event is generated when a logon session is created. It is generated on the computer that was accessed. .... My conf files on Heavy Forwarder is: [transforms.conf] [win-event-cut-en] DEST_KEY = _raw REGEX = ((.*+[\v])+)(?=This event is generated when) FORMAT = $1 [props.conf] [WinEventLog:Security] TRANSFORMS-windows_events =win-event-cut-en It's not works.