I am working to develop a search that groups multiple event source IPs that match a single event's destination IP. Additionally, the group of events would occur within the span of say 5s after the event of interest occurs (inclusive). 

I have tried using transaction but this only seems to group based on the same field. Coalesce does not work either as the sourceip field is present for most or all events, so destip info will not be included.

"Initial search"
| eval mySingleField=coalesce(sourceip, destip)
| transaction mySingleField maxspan=5s
| where eventcount > 1

I have tried using localize and map and I am also having trouble implementing it here too. As I am understanding localize, it only creates "an event region" which is a period of time in which consecutive events are separated. I'm having trouble understanding if this actually passess the events or if it only passes the event region/time to the map function. I was hoping that localize would limit the search space similarly as maxspan does for the transact command as there are millions of searches. 

"Initial Search defining event region"
| localize timeafter=5s
| map search="search srcip starttimeu=$starttime$ endtimeu=$endtime$"