the problem with that is then that will only remove one event when there are 20+ events that contain that MID.
event1, maildirection=outbound, MID=123
event2, sourceuser=user1, MID=123
event3, destinationuser=user2, MID=123
event1, maildirection=outbound, MID=124
event2, sourceuser=user1, MID=124
event3, destinationuser=user2, MID=124
event1, maildirection=outbound, MID=125
event2, sourceuser=user1, MID=125
event3, destinationuser=user2, MID=125
in that last search each event1 would not be returned, but the rest of the events with MID 123, 124 and 125 would be returned.
So i have email events, where a series of logs have the same Message ID (MID).
So instead of having to run:
sourcetype="email" | transaction MID |
I want to limit the number of entries and only search against MailDirectionField=inbound. Not every event has MailDirectionField, but they do have the MID field. so I want my evaluation to state that if MailDirectionField=inbound then NOT MID associated with that event.