Reviving this as I am seeking an answer to the same issue and have yet to be able to find it.
What arkonner was saying is that they don't want the computer accounts to show in the results. I am trying to do the same but simply ignoring values that end in "$" is sloppy and could potentially hide valid results.
This search highlights the issue, I do not want to display results where the user matches any Workstation_Name appended with "$". The only way to make this work that I can think of is to build an array of Workstation_Name values and elminate users that match any value in the array... but I'm relatively new to Splunk and don't know how to do that yet.
index=wineventlog sourcetype="wineventlog:security" src_ip= | stats count by Workstation_Name user
... View more