Have you thought about a workaround using the cluster command?
"The cluster command groups events together based on how similar they are to each other"
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Cluster
Assuming the _time as unique identifier per mail I could think of something like:
| makeresults
| eval sender="John.Smith@Coolcompany.com"
| eval recipientes="JohnSmith546@mail.com"
| eval combined = sender + "," + recipientes
| makemv delim="," combined
| stats values(combined) as combined BY _time
| stats count BY combined, _time
| cluster labelonly=true t=0.1 match=ngramset field=combined
| stats, values(combined), dc(cluster_label) BY _time
This compares both adresses and gives them the same cluster_label, if they are similar. A final dc(clusterlabel)=1 means, that it might be the same person
... View more