ja_s...I understand re security eventlog. I ran it (on 4.3) and did not have any errors. My v5 lab is down at the mo'...will try there. tag::user="foo" at search line worked as well.

No, I don't want the above to be tag names, those are the usernames that Windows uses. Search on user="NETWORK SERVICE" if you have a Windows client. I have several coming from the Security Eventlog. Make user a selected field, pull down "Tag user=NETWORK SERVICE", put in "foo" for tag name, then go to Manager » Tags » List by field value pair then select user=NETWORK%20SERVICE and you will get a 404.

Try this (sorry - a bit slow tonight). Create a new tag with name of ANON_LOGON, add field value pair of user="ANONYMOUS" and another value of action="login attempt".
If that fails, try running the search manually. My test was: user="admin" action="login attempt" | top user host source sourcetype | fields - percent
But I was using "admin" because I know I have those and no anons in the indexes.
You may also need to create more values for user="anonymous" OR user="ANONYMOUS"

Tags names don't have quotes, nor spaces. If you really want the tag name to be similar to that it then use ANONYMOUS_LOGON as its name.Field Pair value would be user="ANONYMOUS" etc?

Well, that's fine, but I created the tags via the pull-down on the "user" selected field. However, I did manually add them with quotes, as you suggest, via the Tags Manager, but they don't seem to get tagged in results.