This is an example of an event for EventCode=4726. As you see there are two account name fields which the Splunk App parses as ... two account names

11/19/2023 01:00:38 PM
LogName=Security
EventCode=4726
EventType=0
ComputerName=dc.acme.com
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=1539804373
Keywords=Audit Success
TaskCategory=User Account Management
OpCode=Info
Message=A user account was deleted.

Subject:
	Security ID:		Acme\ScriptRobot
	Account Name:		ScriptRobot
	Account Domain:		Acme
	Logon ID:		0x997B8B20

Target Account:
	Security ID:		S-1-5-21-329068152-1767777339-1801674531-65826
	Account Name:		aml
	Account Domain:		Acme

Additional Information:
	Privileges	-

I want to search for all events with Subject:Account Name = ScriptRobot and then list all Target Account: Account Name. Knowing that multiline regex can be a bit cumbersome - tried the following search string, but it does not work

index="wineventlog" EventCode=4726 | rex "Subject Account Name:\s+Account Name:\s+(?<SubjectAccount>[^\s]+).*\s+Target Account:\s+Account Name:\s+(?<TargetAccount>[^\s]+)"