I want to find out all the senders to a particular recipient from my proofpoint logs coming into Splunk. I am facing one issue here. For some events the sender is showing as blank, but in reality the actual event shows the value of sender field. Most of the events the sender and recipient field has the same timestamp, but there are some events wherein there is delay of 4 to 5 seconds between sender event and recipient event, for which, the table is showing the sender as blank. Below is the query :

index=proofpoint sourcetype=pps_log mod=mail (cmd=env_rcpt OR cmd=env_from)  | eval Recipient=(if(cmd=="env_rcpt",value," "))  | eval Sender=(if(cmd=="env_from",value," "))  | stats values(Recipient) as Recipient,values(Sender) as Sender by _time,s|mvexpand Sender |where LIKE (Recipient,"pankaj.gadhari@domain.ae%") | eval Time=strftime(_time,"%d-%m-%Y %H:%M:%S")  | table Time Sender Recipient

How do I resolve the issue ? I want to show the Sender field, even when there is a time gap of 4 to 5 seconds between sender event and recipient event. Here the unique field is "s", which is the event id of the message.

Below images are the output of the result.

1. The final table which shows some events has Sender as blank : https://ibb.co/ccD9QB5
2. When timestamp matches for Sender and Recipient events, then Sender is displayed in the table : https://ibb.co/GpDwYPy
3. When there is a gap of 4 to 5 seconds in both the events, Sender field is blank : https://ibb.co/r4dnpZt

Thanks
PG