For the eventCode filtering you can simply use Whitelist in inputs.conf to only collect EventCode 4672, 4673, 4674 & 4624.
https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Inputsconf (see whitelist for Windows Event Log Monitor)
And after, only have the excludeDestination as a stanza in your transforms.conf.
Otherwise I think you configuration is okay, but you'll have to change your props.conf to :
[WinEventLog:Security]
TRANSFORMS-routing = excludeDestination, routeDestination
Because you want first to discard the Logon_Type=3 then keep the log if the EventCode match, not the other way around because the EventCode will always match and therefore it will always use the routeDestination.
It works like ACL, first matched, first served.
3no
... View more