Hi, 

I am new to Splunk environment. 

I am trying to extract ModifiedAccountName, ModifiedAccountDomain, ModifiedLogonID and ModifiedLogonType using following regex--

Regex

^(?msi)^EventCode=4634[^0-9].*Account\sName:\s+(?<ModifiedAccountName>[a-z0-9]+[\$]).*Account\sDomain:\s+(?<ModifiedAccountDomain>[a-z]+).*Logon\sID:\s+(?<ModifiedLogonID>[A-Z0-9]+).*Logon\sType:\s+(?<ModifiedLogonType>[\d]+)$

Where raw Log is --

SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=abc1.abc.aa.abc
TaskCategory=Logoff
OpCode=Info
RecordNumber=12232
Keywords=Audit Success
Message=An account was logged off.

Subject:
Security ID: ABC\A12345F123$
Account Name: A123B126$
Account Domain: ABC
Logon ID: 0xA01234C

Logon Type: 5

Getting error "Error in 'rex' command: The regex '_raw' does not extract anything. It should specify at least one named group. Format: (?<name>...)." while executing below Splunk search query ---

index=*windows* |rex field=_raw "^(?msi)^EventCode=4634[^0-9].*Account\sName:\s+(?<ModifiedAccountName>[a-z0-9]+[\$]).*Account\sDomain:\s+(?<ModifiedAccountDomain>[a-z]+).*Logon\sID:\s+(?<ModifiedLogonID>[A-Z0-9]+).*Logon\sType:\s+(?<ModifiedLogonType>[\d]+)$"

Please advise. 

Thanks in advance.