postfix logs
From and To
host=*smtp* (sourcetype=postfix_log OR sourcetype=postfix_syslog OR sourcetype=message_log) | rex field=_raw "[^:]+:[^:]+:[^:]+: (?<postfix_id>[A-F0-9]\w+):" | transaction postfix_id | rex field=_raw "from=\<(?<postfix_from>.*?)\>," | rex field=_raw " (to|orig_to)=\<(?<postfix_to>.*?)\>" | rex field=_raw "relay=(?<postfix_relay_dns>.*?)\[(?<postfix_relay_ip>.*?)\]" | table _time, postfix_from, postfix_to, postfix_relay_dns, postfix_relay_ip
sourcetype is a Splunk forwarder on the smtp server