Perhaps you will want to give this regex a go...

| rex field=_raw "Account\sThat\sWas\sLocked\sOut:[\r\n]\s+Security\sID\:\s+(?<secID>\S+)

(Please remove ## before secID, the formatting is messing it up a bit.)

The reason that your original regex failed is because you tried using a carriage return and a new line as your anchor without making it a character group. This means that it was looking for both and not just one of them.

Please understand that the regex I posted above is very simple and can be tweaked quite a bit. If you want to be much more specific with it you can define only the characters you want instead non-space character as in my example (in case the domain name has spaces). Eg.

| rex field=_raw "Account\sThat\sWas\sLocked\sOut\:[\r\n]\s+Security\sID\:\s+(?<##secID>[\w\\\]+)"

I think I know what you are trying to accomplish. I’ve tested this and works with your sample data.

(?im)Account\sThat\sWas\sLocked\sOut:\s+Security\s+ID:\s+(?P<secID>[^\r\n]+)

I would recommend reading www.regular-expressions.info and purchasing Regex Buddy which is a great tool for testing regex statements.

Update options 2:

Using the search language this can also be accomplished. I'll break it down by segment.

First you have your base search which returns all your events.

index=main source="WinEventLog:Security"  |

Now if you event is mutli-valued and and the location is constant you can use mvcount and mvindex. mvcount will return the number of values stored in your mvfield. mvindex can return a single or subset of values in your mvfield.

where mvcount(Security_ID) = 2|  eval account=mvindex(Security_ID,1) | 

To verify your results use the fields or table command.

index=main source="WinEventLog:Security" | where mvcount(Security_ID) = 2|  eval account=mvindex(Security_ID,1) | table _time, Security_ID, account 

Don’t forget to accept or thumbs up answers if they help. Cheers