Are you searching by the subject? Since the ironport logs the recipient, sender, and subject in separate events, you have to search by message (MID) to see all of the fields. Do you have field extractions setup for the Ironport logs? Typically, what you would want to do is search for the subject in a subsearch, then pass a list of MIDs to the main search, so that you can see all of the events associated with that particular subject. This search should work, even if you aren't extracting the Ironport fields. You need to replace sourcetype=ironport with whatever search terms you use to find your ironport logs (maybe a different sourcetype, or index, etc), and replace the My Subject with the keywords from your subject in the subsearch.

sourcetype=ironport [search sourcetype=ironport My Subject | rex "MID\s(?<MID>\d+)" | dedup MID | fields MID | rename MID AS query | format] | rex "MID\s(?<MID>\d+)" | rex "Subject\s(?<subject>.*)" | rex "To:\s\<(?<recipient>[^\>]+)" | rex "From:\s\<(?<sender>[^\>]+)" | stats values(sender) AS Sender values(recipient) AS recipient values(subject) AS Subject by MID

If you search your Ironport data, and you do have fields extracted already (like subect, to, from, etc.). Then you can still use the above search. Just exclude the rex statements and substitute in your field names. If you don't have the fields extracted already, I recommend you look at deploying the add-on for ESA (Ironport) as it will include field extractions so you don't have to create them yourself.

https://splunkbase.splunk.com/app/1761/#/overview