I have mail.log. This is displayed in the "Event" column:
May 24 14:02:05 srv7 amavis[10129]: (10129-08) Passed CLEAN {RelayedInbound}, [IP]:59703 [IP] <email@email.com> -> <first.last@domain.com>, Queue-ID: CC8511E237D, Message-ID: <ID@domain.com>
May 24 13:37:34 srv7 amavis[10129]: (10129-03) Passed CLEAN {RelayedOutbound}, LOCAL [IP]:40060 <first.last@domain.com> -> <email@email.com>, Queue-ID: E61E71E237D, Message-ID: <ID@domain.com>
May 24 13:45:32 srv7 amavis[10129]: (10129-04) Passed CLEAN {RelayedInbound}, [IP]:14208 [IP] <email@email.com> -> <first.last@domain.com>, Queue-ID: E5C8B1E237D, Message-ID: <ID@domain.com>
I wish to extract the 2 email address, display them in a table and count how many emails each email address has.
| rex "<(?<fromaddress>[^@]+@[^>]+)> -> <(?<toaddress>[^@]+@[^>]+)>"
| stats count by fromaddress toaddress
| rex "<(?<fromaddress>[^@]+@[^>]+)> -> <(?<toaddress>[^@]+@[^>]+)>"
| stats count by fromaddress toaddress