From your sample data, it looks like you want to compare the email addresses after removing the dots. Your examples only show significant dots in the user name, and that could be done too, but as I'm thinking about this you could really just remove ALL the dots and compare which is a slightly simpler solution.
For that, you can use the command rex in sed mode. Here's an example of it.
... whatever search here that returns a field named "evil_email" that is the one you want to change...
| rex mode=sed field=evil_email "s/\.//g"
The rex says to take any period (which is escaped in the sample to \. ) and replace it with nothing - (there's nothing between the last two forward slashes). The g at the end means to do it "globally", or in other words replace that period every time you see it, not just the first time. That returns fields like ardentreasure@gmailcom
Once you have that, you could pipe that to something like
...
| rex mode=sed field=evil_email "s/\.//g"
| stats count by evil_email | search count>1
To return all the items where it's been used more than once. If you'd rather see the top 20, then instead of stats then search, you could use something like
...
| rex mode=sed field=evil_email "s/\.//g"
| top limit=20 evil_email
Does that help?
... View more