@cphair, I think I understand your question, maybe. if you know username and domain will always appear together. If you wanted to preform multiple field extractions in the statment you might want to use the |(pipe) to make the match optional. Keep in mind that using the |(pipe) following alternative will be tried if the regex backtraces into the group.

Ok, I think I understand what you are trying to do and the following regex statement should work or at the very least get you most of the way there.

(?m)^\s+(User\sName:\s+(?P[^\s]+|))|(?:Account\sFor\sWhich\sLogon\sFailed\s+Account\sName:\s+(?P[^\s]+))\r

OR

(?m)^\s+((?:User\sName:\s+(?P[^\s]+|))|(?:Account\sFor\sWhich\sLogon\sFailed\s+Account\sName:\s+(?P[^\s]+|)))\r

Your Formate notation:
FORMAT = account_name::$1 account_name::$2

@bmacias84, if you know the Message format is always the same, can you add "Domain:" to the end of your regex, after the parentheses? Do you really need to perform multi- and single-line matching for a username extraction?

Can you provide a sample of the event extract_accountname is used in?

props.conf
[tcp-raw]
REPORT-extract_names = extract_username, extract_accountname

transforms.conf
[extract_username]
- extracts the user name field in Windows security logs
REGEX = (?ms)^\s+User Name:\s+([^\s]+|)\r
FORMAT = user_name::$1

[extract_accountname]
- extracts the account name field in Windows security logs
REGEX = (?ms)Account For Which Logon Failed.+?Account Name:\s+(\V+)
FORMAT = account_name::$1

It works with the \r at the end in an editor like gskinner.com/regexr. In Splunk, I have two extractions for one sourcetype. One for the username that you helped with and another for account names. The problem I have now is when I add the \r to regex in transforms.conf, the username is no longer extracted, only the account name. I must be missing something.