I found what i want : index = * sourcetype="cisco:esa:textmail" | eventstats values(src) AS cs_ip BY icid | eventstats values(dest) AS ss_ip BY dcid | eval recipient_count=mvcount(recipient) | stats values(internal_message_id) AS tmpMID values(icid) AS icid values(sender) AS sender values(recipient) AS recipient values(message_size) AS message_size values(antivirus_status) as antivirus_status values(quarantine_dest) as quarantine_dest values(reason) as reason values(virus_vendor_category) as virus_vendor_category values(response) AS response values(message_subject) as message_subject values(cs_ip) AS cs_ip values(ss_ip) AS ss_ip values(dcid) AS dcid BY internal_message_id | eval recipient_count=mvcount(recipient) | eval mid=tmpMID | mvexpand mid | eventstats values(tmpMID) AS tmp BY mid | eval t=mvjoin(tmp, " ") | stats values(sender) AS sender values(recipient) AS recipient values(message_subject) as subject values(antivirus_status) as antivirus_status values(quarantine_dest) as quarantine_dest values(reason) as reason values(virus_vendor_category) as virus_vendor_category max(message_size) AS message_size max(recipient_count) AS recipient_count values(internal_message_id) AS internal_message_id values(dcid) AS dcid values(response) AS response values(cs_ip) AS cs_ip values(ss_ip) AS ss_ip BY icid
... View more