somehow I manage to arrange the event under one event occurrence. below is the query.
index=cisco_es | rex "MID\s(?\d+)" | rex "DCID\s(?\d+)" | rex "ICID\s(?\d+)" | transaction MID_New DCID_New ICID_New maxevents=30 endswith="Message done" | search MID_New="xxxxx"
