That doesn't really explain what statistic you want. Can you give an example of what you would like the table to look like?

Example:  in one line get the following extract from multiple line in the search: for each specific MID, display the associated field sender,message_subject,recipient,reason,virus_vendor_category

,MID, sender,message_subject,recipient,reason,virus_vendor_category

3035876,vivek.sood@swiftsecuritas.in,info@mycompany.com,Revised Order 21-09-20, "Virus" (a/v verdict:VIRAL), CXmail/RtfObf-D

vivek.sood@swiftsecuritas.in is in a line,

each field are in different lines

Which field identifies these as all being part of the same threat?

| stats values(sender) as sender, values(message_subject) as message_subject, values(recipient) as recipient, values(reason) as reason, values(virus_vendor_category) by virus_vendor_category by id
| fields - id

Ok thank you.

Example:  in one line get the following extract from multiple line in the search: for each specific MID, display the associated field sender,message_subject,recipient,reason,virus_vendor_category

,MID, sender,message_subject,recipient,reason,virus_vendor_category

3035876,vivek.sood@swiftsecuritas.in,info@mycompany.com,Revised Order 21-09-20, "Virus" (a/v verdict:VIRAL), CXmail/RtfObf-D

3035879,vivek.sood2@swiftsecuritas.in,info2@mycompany.com,Invoice 21-09-20, "Virus" (a/v verdict:VIRAL), CXmail/RtfObf-B

3035880,vivek.sood3@swiftsecuritas.in,info@mycompany.com,Invoice2 21-09-20, "Virus" (a/v verdict:VIRAL), CXmail/RtfObf-D

| stats values(sender) as sender, values(message_subject) as message_subject, values(recipient) as recipient, values(reason) as reason, values(virus_vendor_category) by virus_vendor_category by MID
| fields - MID

The fields line removes the MID from the table if you don't want to show that

MID is not a field but is displayed in the line. So i think i need to use regex expression.

For each specific MID displayed in each line,   diplays in a table , MID id and associated stats values

What is the field name that you have extracted the MID into?

I want to check MID with the value :

14:44:56 mail_logs: Info: MID 3037591 SPF: mailfrom

|rex "\s+MID\s+\<\|?(?<MID>[^\>]+)" ?

Based on the example log, there are no brackets around MID value and I suspect you just want the MID near the beginning of the log, so try

| rex "info:\s+MID\s+(?<MID>[^\s]+)"

I found what i want :

index = * sourcetype="cisco:esa:textmail" | eventstats values(src) AS cs_ip BY icid
| eventstats values(dest) AS ss_ip BY dcid
| eval recipient_count=mvcount(recipient)
| stats values(internal_message_id) AS tmpMID
values(icid) AS icid
values(sender) AS sender
values(recipient) AS recipient
values(message_size) AS message_size values(antivirus_status) as antivirus_status
values(quarantine_dest) as quarantine_dest values(reason) as reason values(virus_vendor_category) as virus_vendor_category
values(response) AS response
values(message_subject) as message_subject
values(cs_ip) AS cs_ip
values(ss_ip) AS ss_ip
values(dcid) AS dcid BY internal_message_id
| eval recipient_count=mvcount(recipient)
| eval mid=tmpMID
| mvexpand mid
| eventstats values(tmpMID) AS tmp BY mid | eval t=mvjoin(tmp, " ")
| stats values(sender) AS sender values(recipient) AS recipient
values(message_subject) as subject values(antivirus_status) as antivirus_status
values(quarantine_dest) as quarantine_dest values(reason) as reason values(virus_vendor_category) as virus_vendor_category
max(message_size) AS message_size
max(recipient_count) AS recipient_count
values(internal_message_id) AS internal_message_id
values(dcid) AS dcid
values(response) AS response
values(cs_ip) AS cs_ip
values(ss_ip) AS ss_ip BY icid