#include <StringConstants.au3> ; to declare the Constants of StringRegExp
#include <Array.au3> ; UDF needed for _ArrayDisplay and _ArrayConcatenate
Local $sRegex = "(?m)^.*?\bMicrosoft-Windows-Security-Auditing[^\S\r\n]+4740[^\S\r\n]+.*(?:\r?\n(?!Subject:).*)*\r?\nSubject:(?:\r?\n(?![^\S\r\n]*Account Name:).*)*\r?\n.*Account Name:[^\S\r\n]*(\w+)\$(?:\r?\n(?!Account).*)*\r?\nAccount.*(?:\r?\n(?![^\S\rn]*Account Name:).*)*\r?\n.*Account Name:[^\S\r\n]*(\S+)"
Local $sString = "Information 22.12.2020 21:28:46 Microsoft-Windows-Security-Auditing 4740 User Account Management "A user account was locked out." & @CRLF & _
"" & @CRLF & _
"Subject:" & @CRLF & _
" Security ID: SYSTEM" & @CRLF & _
" Account Name: SERVER23$" & @CRLF & _
" Account Domain: DOMAIN" & @CRLF & _
" Logon ID: 0x3E7" & @CRLF & _
"" & @CRLF & _
"Account That Was Locked Out:" & @CRLF & _
" Security ID: domain\firstname.lastname" & @CRLF & _
" Account Name: firstname.lastname" & @CRLF & _
"" & @CRLF & _
"Information 22.12.2020 21:28:46 Microsoft-Windows-Security-Auditing 4740 User Account Management "A user account was locked out." & @CRLF & _
"" & @CRLF & _
"Subject:" & @CRLF & _
" Security ID: SYSTEM" & @CRLF & _
" Account Name: SERVER23$" & @CRLF & _
" Account Domain: DOMAIN" & @CRLF & _
" Logon ID: 0x3E7" & @CRLF & _
"" & @CRLF & _
"Account That Was Locked Out:" & @CRLF & _
" Security ID: domain\john.doe" & @CRLF & _
" Account Name: john.doe" & @CRLF & _
"" & @CRLF & _
"Information 22.12.2020 21:28:46 Microsoft-Windows-Security-Auditing 4740 User Account Management "A user account was locked out." & @CRLF & _
"" & @CRLF & _
"Subject:" & @CRLF & _
" Security ID: SYSTEM" & @CRLF & _
" Account Name: SERVER23$" & @CRLF & _
" Account Domain: DOMAIN" & @CRLF & _
" Logon ID: 0x3E7" & @CRLF & _
"" & @CRLF & _
"Account That Was Locked Out:" & @CRLF & _
" Security ID: domain\adon.cekaj" & @CRLF & _
" Account Name: adon.cekaj" & @CRLF & _
"" & @CRLF & _
"This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested." & @CRLF & _
"" & @CRLF & _
"This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket." & @CRLF & _
"" & @CRLF & _
"Ticket options, encryption types, and failure codes are defined in RFC 4120."" & @CRLF & _
"Information 22.12.2020 21:34:41 Microsoft-Windows-Security-Auditing 4740 User Account Management "A user account was locked out." & @CRLF & _
"" & @CRLF & _
"Subject:" & @CRLF & _
" Security ID: SYSTEM" & @CRLF & _
" Account Name: SERVER23$" & @CRLF & _
" Account Domain: DOMAIN" & @CRLF & _
" Logon ID: 0x3E7" & @CRLF & _
"" & @CRLF & _
"Account That Was Locked Out:" & @CRLF & _
" Security ID: DOMAIN\simon.brandlaub" & @CRLF & _
" Account Name: simon.brandlaub" & @CRLF & _
"" & @CRLF & _
"Information 22.12.2020 12:39:37 Microsoft-Windows-Security-Auditing 4740 User Account Management "A user account was locked out." & @CRLF & _
"" & @CRLF & _
"Subject:" & @CRLF & _
" Security ID: SYSTEM" & @CRLF & _
" Account Name: SERVER23$" & @CRLF & _
" Account Domain: DOMAIN" & @CRLF & _
" Logon ID: 0x3E7" & @CRLF & _
"" & @CRLF & _
"Account That Was Locked Out:" & @CRLF & _
" Security ID: DOMAIN\robin.hutmacher" & @CRLF & _
" Account Name: robin.hutmacher" & @CRLF & _
"" & @CRLF & _
""
Local $aArray = StringRegExp($sString, $sRegex, $STR_REGEXPARRAYGLOBALFULLMATCH)
Local $aFullArray[0]
For $i = 0 To UBound($aArray) -1
_ArrayConcatenate($aFullArray, $aArray[$i])
Next
$aArray = $aFullArray
; Present the entire match result
_ArrayDisplay($aArray, "Result")
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for AutoIt, please visit: https://www.autoitscript.com/autoit3/docs/functions/StringRegExp.htm