I try to search for Windows logins in which the "Workstation Name" is different from the "ComputerName". The problem is that the "ComputerName" value contains the FQDN like "INTSERV01.mydomain.com" and the "Workstation Name" the Netbios Name like "INTSERV01".

Log lines look like this:

Aug 20 00:17:32 logserv1 3 LOGSERV1 08/19/2013 11:18:34 PM  LogName=Security    SourceName=Microsoft Windows security auditing. EventCode=4624  EventType=0 Type=Information    ComputerName=**INTSERV01.mydomain.com** TaskCategory=Logon  OpCode=Info RecordNumber=505078 Keywords=Audit Success  Message=An account was successfully logged on.              Subject:            Security ID:        NT AUTHORITY\SYSTEM         Account Name:       INTSERV01$          Account Domain:     MYDOM           Logon ID:       0x3e7               Logon Type:         10              New Logon:          Security ID:        MYDOM\account1          Account Name:       account1            Account Domain:     MYDOM           Logon ID:       0x699c129a          Logon GUID:     {81EDFCE7-5B5F-B365-6602-D56C3FAE6222}              Process Information:            Process ID:     0x1a68          Process Name:       C:\Windows\System32\winlogon.exe                Network Information:            Workstation Name:   **INTSERV01**           Source Network Address: 10.18.0.2           Source Port:        2475                Detailed Authentication Information:            Logon Process:      User32          Authentication Package: Negotiate           Transited Services: -           Package Name (NTLM only):   -           Key Length:     0

I would like to filter all events in which the "ComputerName" contains the "Workstation Name".
I tried "regex ComputerName!=workstation_name" but this didn't work. I suppose that "workstation_name" does not get resolved to the actual value.

Is there a way to filter these events?