i too believe there is a bug - this worked as documented in versions prior to 6.0

I have been trying to find the same thing.. Sounds like a great feature request

"You can set up workflow actions that only apply to events that have a specified field or set of fields. ...you would declare http_status in the Apply only to the following fields setting.

...When more than one field is listed the workflow action is displayed only if the entire list of fields are present in the event."

Based on this information I thought I would be able to accomplish what I want by adding a second field that is not available in the System log, however, no matter what I add here, the workflow action is displayed for ALL events, even ones which do not have either field.

Its not a search results issue. I have a workflow set up which has "Apply only to the following fields" set to "EventCode". However, this field is available in Security log events and System log events. I want to limit this action to only show for Security log events.

In doing some additional testing I think there may be a different behavior (bug) in version 6. According to the documentation (http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/CreateworkflowactionsinSplunkWeb):

Then you need to adjust your search to select only the events you want to see (or remove those you don't want to see). For example, 'sourcetype="WinEventLog:Security" LogName="Security" | ...'

That doesn't prevent the workflow from displaying in System events.