you need to connect the pipeline to the stream where the messages are CURRENTLY and not where they should go.
Most likely it is that you need to connect your pipeline to the all messages stream to filter out those messages into a separate stream.
rule “Locked Users Rule”
// first check if the field that is compared is given
// otherwise this rule would create an error on every message
// that does not contain the field.
to_string($message.EventID) == “4740”
// routing via stream name is possible
// but as the names for streams are not unique
// the routing should be done via the ID of the stream
route_to_stream(“Monitor Locked User”);