Hi friends!

How to discard Windows events of type EventCode = 4663 from Splunk executables?
Dismiss only Splunk-related events:
SplunkUniversalForwarder \ bin \
splunk-powershell.exe
splunk-regmon.exe
splunk-admon.exe

To reduce the consumption of the Splunk license.

Example log:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{}'/><EventID>4663</EventID><Version>1</Version><Level>0</Level><Task>12802</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-02-23T14:56:54.615235600Z'/><EventRecordID>835675728</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='10472'/><Channel>Security</Channel><Computer>DC01.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>DC01$</Data><Data Name='SubjectDomainName'>DC01</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>SymbolicLink</Data><Data Name='ObjectName'>\SHARE??\E:</Data><Data Name='HandleId'>0x94</Data><Data Name='AccessList'>%%4544</Data><Data Name='AccessMask'>0x1</Data><Data Name='ProcessId'>0x1fa8</Data><Data Name='ProcessName'>E:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe</Data><Data Name='ResourceAttributes'>-</Data></EventData></Event>

Thanks in advancend!

James \o/