splunk is not showing the cisco email security event as one event. each log line is showing as one individual event
somehow I manage to arrange the event under one event occurrence. below is the query.
index=cisco_es | rex "MID\s(?\d+)" | rex "DCID\s(?\d+)" | rex "ICID\s(?\d+)" | transaction MID_New DCID_New ICID_New maxevents=30 endswith="Message done" | search MID_New="xxxxx"
now I want to enhance the search. I want to list all the attachment and either the email get delivered or not.
Please help me to conclude this.