Couldn't get this one to work

Ok. Give this as try as well

... | rex  "Account Name:.*([\r\n])*Account Name\:\s+(?<user>.*)[\r|\n]*""

Yes this worked as well BUT with the caveat that it includes BOTH Account Names

Unfortunately both Account Name fields are preceded by Security ID fields

| eval subject_account=mvindex(Account_Name, 0) | eval target_account=mvindex(Account_Name, 1) |

Just add another line then to give it more context... i.e.

 | rex "Account That Was Locked Out\: \S*[\r|\n]Security ID\: \S*[\r|\n]Account Name\: (?<user>\S*)[\r|\n]"

You can also add what should be expected after the field extraction too.

That is what I did, thanks!

Can you choose Accept Answer please?

Also, out of curiosity, what happens if you use the interactive field extractor in Splunk Web?

the specific event code Im looking at is: EventCode=4740

Do you mean: Splunk_TA_windows, if so, yes its installed and deployed but there are no fields named (Src and Dest user)

Looking through the TA's Props.conf and transforms.conf now and those fields do have their regex written for them. You installed the Splunk_TA_windows on the search heads? -- Presumably, I'd rather get the TA fixed than have a custom REGEX that only solves one field over all of the fields. Do you have any custom parsers written at the private, app or global level for Windows events? That would be the #1 reason why the TA no longer parses the data.

So it seems there was an override. I put in the field extraction from above as a temp fix but you are also correct. I will correct this at the source ASAP