I've seen quite a few posts about IronPort/Cisco ESA mail logs and how folks have put them together with transaction. However I see one flaw, they don't have a way to include a rewritten MID's rewritten MID. Conceptually I'm having a hard time figuring out how to approach this, any ideas would be greatly appreciated.

MID 70101307 rewritten to MID 70101309 by url-reputation-replace-action filter 'Malicious_URL'
Message finished MID 70101307 done
MID 70101309 rewritten to MID 70101311 by url-threat-protection filter 'Threat Protection'
Message finished MID 70101309 done
Message finished MID 70101311 done

As one can see there are a total of 3 MIDs here.
1. 70101307 which is the first, and root, event
2. 70101307 is rewritten to 70101309
3. 70101309 is rewritten to 70101311

These are all the same message, and I would like to combine them all into a single event. This scenario happens more often than one may assume. Unfortunately folks who are relying on | transaction mid will miss all of the rewritten MID's actions; there is a ton of juicy data there. Using a lookup populated immediately before with maps of MID to rewritten MID is another great idea, and that's how I'm successfully combining the first and second MIDs, but not sure how to capture rewritten MID's rewritten MID. The following is a light example of what I'm doing today, reduced down to the SPL that matters.

index=ironport
| transaction mid
| table _time,host,mid,rewrite_mid
| outputlookup append=false bufferlookup

index=ironport
| lookup local=true bufferlookup host,mid OUTPUT mid AS buffer_mid,rewrite_mid AS buffer_rewrite_mid
| lookup local=true bufferlookup host,mid AS rewrite_mid OUTPUTNEW mid AS buffer_mid,rewrite_mid AS rewrite_mid
| eval anchor=if(!isnull(buffer_mid) and buffer_mid>0,buffer_mid.":".buffer_rewrite_mid,mid)
| transaction anchor