Are you looking for those values in specific fields, or just anywhere in the event? If you are looking for them just anywhere in the event, then I would suggest that you don't use regex at all. Simply do a search like this:
sourcetype=WinEventLog:Security EventCode=540 NOT ("SYSTEM" OR "ANONYMOUS LOGON" OR "$")
However, that may be a bit too loose. For example, the term "system" could occur else where in your event, and perhaps a clever hacker would attempt to hide logon attempts by using a "$" as part of their username,.... So perhaps it's would be better to be slightly more specific about what we want to filter out.
So, this may be a better search:
sourcetype=WinEventLog:Security "EventCode=540" NOT ("User=SYSTEM" OR "User=ANONYMOUS LOGON" OR USER="*$")
(Notice the usage of quotes around the entire expressions--this make splunk look for those literal terms in the index, rather than doing a field matching, which should result in a faster search)
I'm not sure about the USER="*$" part, that does give difference results than simply searching for "$", so you'll have to play around and see what results you really want.