@renjith.nair, thank you for putting the time into creating dummy data generation to help me find a solution. Your example you provided with the results it yielded is exactly what I am looking for.

I have further fixed more of the issue by extracting a new field, called "To_or_From_MSD_Number" which uses specific regex to capture the MSD number ONLY if it is a To or From email event. This has given me near exactly the results I needed when using your new search query.

However, what I have found is that this email application will re-use the MSD number further in the same day, making results have multiple values in the From and To columns. Due to this unfortunate detail, I wonder if this is beyond the scope of Splunk's ability. The search query would have to somehow get the msd matched To and From events that are within the same hour. Or maybe I could throw the source ip that is in the To event into the query somewhere to isolate the results.

Here is an example, where I specified 1 MSD number because it has been used twice already today:
search query:

host = hostIp To_or_From_MSD_Number="10092" | stats values(Email_From_Address) as From,values(Email_To_Address) as To, count by To_or_From_MSD_Number|where count>1| fields - count

Results:

To_or_From_MSD_Number: From: To:
10092 from@first.com to@first.com
from@second.com to@second.com

And here would be the actual To and From events from the results:

Oct 8 06:27:19 mail msd[10092] MAIL command received, args: FROM: from@first.com
Oct 8 06:27:19 mail msd[10092] RCPT command received (1.1.1.1), args: TO: to@first.com
Oct 8 08:20:10 mail msd[10092] MAIL command received, args: FROM: from@second.com
Oct 8 08:20:11 mail msd[10092] RCPT command received (2.2.2.2), args: TO: to@second.com

After looking at the events here I noticed that the source ip in the To events differs, is it possible to separate the joined results from our search query by using that source ip? (meaning the 1.1.1.1 and the 2.2.2.2 ips in the To events)

The results I would hope could be achievable would look something like this:

Source IP: MSD Number: From: To:
1.1.1.1 10092 from@first.com to@first.com
2.2.2.2 10092 from@second.com to@second.com

I apologize for this difficult request. I will accept that what I ask for is over-complicated and not achievable if necessary.

@silverlink34 , no problem! Are the IPs in both FROM & TO events or only in the TO?
If not and if the only way to find it based on time difference,then lets try transaction

My sample events

Oct 8 06:27:19 mail msd=10092 MAIL command received, args: FROM=from@first.com
Oct 8 06:27:19 mail msd=10092 RCPT command received (1.1.1.1), args: TO=to@first.com
Oct 8 06:40:19 mail msd=10098 MAIL command received, args: FROM=from@second.com
Oct 8 06:40:19 mail msd=10099 RCPT command received (1.1.1.1), args: TO=to@second.com
Oct 8 08:20:10 mail msd=10092 MAIL command received, args: FROM=from@third.com
Oct 8 08:20:11 mail msd=10092 RCPT command received (2.2.2.2), args: TO=to@third.com
Oct 8 09:20:10 mail msd=10019 MAIL command received, args: FROM=from@fourth.com
Oct 8 09:20:11 mail msd=10019 RCPT command received (2.2.2.2), args: TO=to@fourth.com

Search
"search terms and field extractions" |transaction MSD startswith="FROM" endswith="TO" keepevicted=false maxspan=1hr|table MSD,FROM,TO

Result

MSD FROM                         TO
10019   from@fourth.com   to@fourth.com
10092   from@third.com         to@third.com
10092   from@first.com         to@first.com

The events are separate. I am trying to put together the search string with the count>1 suggestion you have proposed. Thank you for helping! I'll let you know where it gets me.

If the events are separate, then it should work, added as answer with a dummy search. please try and let me know if it works for you

Thank you for your suggestion, I do appreciate your input. However, this gives the same result as my query does. Each event that contains the Email_From_Address or Email_To_Address already contains the msd_number in it, so the results in the stats list does not change. The results from my query returns every msd_number found, but these results have several rows that are missing the Email_From_Address and/or the Email_To_Address. I am unsure of how to only show results that have the same msd_number that is in the Email_From_Address and the Email_To_Address. I will try @renjith.nair's approach and see what that does.

Hi @silverlink34, Can you please share some of the sample of your events and what do you want exactly as result?

Yes sir! Here are the two events I am pulling information from, and the fields pulled from them:

"<22>Oct 3 15:00:17 mail msd[24056]: MAIL command received, args: FROM:"

• Email_From_MSD_Number = 24056
• Email_From_Address = silverlink34@domain.com
• msd_number = 24056

"<22>Oct 3 15:00:17 mail msd[24056]: RCPT command received (0.0.0.0), args: TO:"

1. Email_To_MSD_Number = 24056
2. Email_To_Address = splunkhelp@domain.com
3. msd_number = 24056

And the results I am trying to get are:

Column1:From Column2:To Column3:MSD Number
silverlink34@domain.com splunkhelp@domain.com 24056

... and the rest of the rows from the list of results, I want ALL of the Froms, Tos, and MSD numbers.
I ONLY want rows that have all three columns, do not want rows that have only From/To/ or MSD Number.
And of course once I can figure this out I can span off into my other desired results.

I've edited query in my answer, try that query. Hope that helps.

I thank you all again for your continued support. I have found out why my results are not as expected, which is to two large factors:

1. Even though the Email_To_MSD_Number and Email_From_MSD_Number fields are always present in ONLY an email To or From event, the generic msd_number field is found not only in Email To and From events, but other events as well. This results in our tested query to give rows without a To or From email address, because when using "by msd_number" it includes the rows that don't have an Email_From_Address or Email_To_Address.
2. I have found that the msd_number is re-used later in the day, so it is not entirely unique per every message. I would almost have to make sure the Email_From_Address event and Email_To_Address events are within the same hour to ensure the msd_number is unique between them.