Thanks for your answer, that works to get the result on different rows, however I need the result to be in separate fields.

Can this method be adapted for that?

Thanks,

If it's always two, you could do this...,

| makeresults | eval output="From: Me (me@me.com)
Sent: 28 September 2018 17:42
To: You (you@you.com)
Subject: This is the first email

From: Me (me@me.com)
Sent: 28 September 2018 18:42
To: You-aswell (you-aswell@you.com)
Subject: This is the second email
There is more stuff after the email headers, so this here represents more stuff"
| rex field=output "**Sent**:\s(?\d+\s\w+\s\d+\s\d+:\d+)" max_match=0
| eval sent_time_1=mvindex(sent_time, 0)
| eval sent_time_2=mvindex(sent_time, 1)
| table output sent_time_1, sent_time_2

This method worked for me on an Windows Event log where "Account Name:" appears twice on every event and I only wanted the 2nd name, not the first. The only oddity unresolved was when one of the two names were null in the event. There might be a way to fix that. Other than that, it worked.  

index=* host=*servername* password EventCode=4625

| rex field=Message "Account Name:\s+(?<ACCOUNT_NAME>[^\r\n]+)" max_match=0

| eval Account_Name_1=mvindex(Account_Name, 0)

| eval Account_Name_2=mvindex(Account_Name, 1)

| table DomainController, Account_Name_2

That almost works, although I can't guarantee that there will always be 2, sometimes there will be 3 or 4. I need to make sure it only selects the first 2.

Hi,
mvindex will still work, ref documentation here - http://docs.splunk.com/Documentation/Splunk/7.1.3/SearchReference/MultivalueEvalFunctions

As the documentation says, mvindex starts from 0 and as @darrenfuller has stated, irrespective of 3-4..n matches in your output field for the above rex, mvindex of 0 and 1 are going to fetch the 1st and 2nd fields respectively.
Can you please try and confirm?

Hello, apologies it was an error from a different function that threw up the error. This worked perfectly, thank you for your help