Attempting to create a Rex extract during search to extract a field from the message field in winsecurity event logs.

Need to extract the Member: information from examples such as:

A member was added to a security-enabled local group. Subject: Security ID: Domain1\UserTest Account Name: UserTest Account Domain: Domain1 Logon ID: 0xd8a6824 Member: Security ID: Domain1\TestAdmins Account Name: - Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -

A member was added to a security-enabled local group. Subject: Security ID: server1\Administrator Account Name: Administrator Account Domain: server1 Logon ID: 0x5aa535 Member: Security ID: Domain1\Domain Admins Account Name: - Group: Security ID: BUILTIN\Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -

I was able to create a rex that locates the Member: area and extracts the Security ID: which includes the domain\user however when the user or group name has a space It does not extract the entire name.

Here is what I have tried so far:

rex field=Message "(?ms)Security ID:.*?Security ID:\s+(?\S+)"

rex field=Message "(?ms)Security ID:.*?Security ID:\s+(?\w+\W\w+\s\w+)"

I need to find a way for it to extract the domain\user with and without spaces in the name. Is there a way to have the extraction stop once it reaches the word Account? or some other rex that would work?