It would help to know the error you received, but I suspect it's a syntax error of some sort. That's because subsearches have to be placed where their results would make semantic sense.
IOW, if the subsearch produces a result like (original_user=foo OR original_user=bar) then this makes no sense.
| eval Name= mvindex((newValue),1)
(original_user=foo OR original_user=bar)
| stats values(*) as *
Try this, instead
(index=<my index>) EventType="A" EventType=A
| rename username as original_user
| eval Id= mvindex((newValue),0)
| eval Name= mvindex((newValue),1)
| search [ search index=<my index> <filtering by a string>
| eval src_email= mvindex((newValue),3)
| rex field=src_email "(?<original_user>[\w\d\.\-]+\@[\w\d\.]+)"
| fields original_user
| format ]
| stats values(*) as *
Or this similar query for better performance
(index=<my index>) EventType="A" EventType=A [ search index=<my index> <filtering by a string>
| eval src_email= mvindex((newValue),3)
| rex field=src_email "(?<original_user>[\w\d\.\-]+\@[\w\d\.]+)"
| fields original_user
| rename original_user as username
| format ]
| rename username as original_user
| eval Id= mvindex((newValue),0)
| eval Name= mvindex((newValue),1)
| stats values(*) as *
---
If this reply helps you, Karma would be appreciated.
