I have a threatid from firewall with IP address information. and want to ask is it possible to create report/alert for the repeating same ip address after 7 days without manually input the ip address?
You could try something like this and alert if count>0
... earliest=-7d@d | stats count as occurrences by ip | where occurrences>(enter your threshold number here)
This should get you started.
index=foo threatid=bar | bin span=7d _time | stats count by ipaddress | where count > 1