Can you please try this?
YOUR_SEARCH
| rex field=_raw "(?<NumberOfIDs>\d*) IDs are found for the type (?<Type>\d*) and for the subtype (?<SubType>.*)"
| rex field=_raw "sent to (?<emailId>.*)" | filldown Type SubType NumberOfIDs
| streamstats count by Type
| eval SubType=mvindex(split(SubType,"^"),count-2),Type=if(count=2,Type,null()), NumberOfIDs=if(count=2,NumberOfIDs,null()) | where count!=1
| table Type SubType emailId NumberOfIDsMy Sample Search :
| makeresults | eval raw="[7/14/21 3:00 CDT] 3 IDs are found for the type 234456 and for the subtype 12334^12344|[7/14/21 3:00 CDT] It is being sent to will@sons|[7/14/21 3:01 CDT] It is being sent to william@sons|[7/14/21 3:01 CDT] It is being sent to heather@sons|[7/14/21 3:02 CDT] 4 IDs are found for the type 234457 and for the subtype 12335^12345|[7/14/21 3:02 CDT] It is being sent to will3@sons|[7/14/21 3:03 CDT] It is being sent to william3@sons|[7/14/21 3:03 CDT] It is being sent to heather1@sons"
| eval raw=split(raw,"|")| mvexpand raw | rename raw as _raw
|rename comment as "Upto Now is sample data only"
| rex field=_raw "(?<NumberOfIDs>\d*) IDs are found for the type (?<Type>\d*) and for the subtype (?<SubType>.*)"
| rex field=_raw "sent to (?<emailId>.*)" | filldown Type SubType NumberOfIDs
| streamstats count by Type
| eval SubType=mvindex(split(SubType,"^"),count-2),Type=if(count=2,Type,null()), NumberOfIDs=if(count=2,NumberOfIDs,null()) | where count!=1
| table Type SubType emailId NumberOfIDs
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
