Per a previous question/post: "Search Proofpoint Logs", I did get that working, thanks again Kristian. I now want to add one more caveat to it, if possible. The current search:

index=xyz |  eval time=strftime(_time, "%m-%d-%y") | rex "env_from\s+value=(?<sender>\S+)" | rex "env_rcpt\s+r=\d+\s+value=(?<receiver>\S+)"
| stats first(time) as Date list(sender) as Sender values(receiver) as Receivers first(subject) as Subject max(spamscore) as Spamscore by s
| where (Receivers="abc@xyz.com" OR Receivers="123@xyz.com") 
| table Date Sender Receivers Subject Spamscore

Where I have the 'where clause' above: where (Receivers="abc@xyz.com" OR Receivers="123@xyz.com")

I want to instead pull the list of possible Receivers from a large list. I created a 'Lookup Definition' so that I could use: inputlookup .

From all the postings I read, I may need to use a subquery. I have gotten that to work such that records are chosen only if they contain an address in the Address_List
but as you can see from the sample below, I also need the Sender, SpamScore, etc. that are on different lines.

So basically, I want to pull ONLY Receivers in the Address List. I couldn't make that happen.

Thanks,
Bob
[2011-10-23 16:05:59.502387 +0000] rprt s=10kch03n9t mod=session cmd=connect ip=209.85.210.182 perlwait=0.085
[2011-10-23 16:06:26.251606 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_from value=uvh@gmail.com qid=p9NG5xMt010615 ip=209.85.210.182
[2011-10-23 16:06:26.405437 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_rcpt r=1 value=abc@xyz.com verified= routes=
[2011-10-23 16:06:26.875486 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=spam cmd=run score=0 spamscore=0 ipscore=0 suspectscore=3 phishscore=0 bulkscore=0 adultscore=0 duration=0.091
[2011-10-23 16:06:26.879828 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=msg module=spf rule=pass action=continue attachments=0 rcpts=1 subject="Hi" spamscore=0
[2011-10-23 16:06:56.927722 +0000] rprt s=10kch03n9t mod=session cmd=disconnect module= rule= action= helo=mail-iy0-f182.google.com msgs=3 rcpts=3 routes= duration=1.119 elapsed=57.43

[2011-10-23 17:05:59.502387 +0000] rprt s=10kch03n9t mod=session cmd=connect ip=209.85.210.182 perlwait=0.085
[2011-10-23 17:06:26.251606 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_from value=xyz@hotmail.com qid=p9NG5xMt010615 ip=209.85.210.182
[2011-10-23 17:06:26.405437 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_rcpt r=1 value=123@xyz.com verified= routes=
[2011-10-23 17:06:26.875486 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=spam cmd=run score=0 spamscore=0 ipscore=0 suspectscore=3 phishscore=0 bulkscore=0 adultscore=0 duration=0.091
[2011-10-23 17:06:26.879828 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=msg module=spf rule=pass action=continue attachments=0 rcpts=1 subject="Hi" spamscore=0
[2011-10-23 17:06:56.927722 +0000] rprt s=10kch03n9t mod=session cmd=disconnect module= rule= action= helo=mail-iy0-f182.google.com msgs=3 rcpts=3 routes= duration=1.119 elapsed=57.43

[2011-10-23 18:05:59.502387 +0000] rprt s=10kch03n9t mod=session cmd=connect ip=209.85.210.182 perlwait=0.085
[2011-10-23 18:06:26.251606 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_from value=123@gmail.com qid=p9NG5xMt010615 ip=209.85.210.182
[2011-10-23 18:06:26.405437 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=env_rcpt r=1 value=xxtt@xyz.com verified= routes=
[2011-10-23 18:06:26.875486 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=spam cmd=run score=0 spamscore=0 ipscore=0 suspectscore=3 phishscore=0 bulkscore=0 adultscore=0 duration=0.091
[2011-10-23 18:06:26.879828 +0000] rprt s=10kch03n9t m=3 x=p9NG5xMt010615 mod=mail cmd=msg module=spf rule=pass action=continue attachments=0 rcpts=1 subject="Hi" spamscore=0
[2011-10-23 18:06:56.927722 +0000] rprt s=10kch03n9t mod=session cmd=disconnect module= rule= action= helo=mail-iy0-f182.google.com msgs=3 rcpts=3 routes= duration=1.119 elapsed=57.43