Give this a try. I am assuming you want a line for each combination of src_ip, dest_ip, and threat_name based on your search above. By the way, you are missing a function in your stats command. Something like count, avg, min, max, etc... Either way, I created a field that concatenates the src_ip, dest_ip, and threat_name so you can get a line for each in a line graph for example. I hope this helps.
index=xxx_paloalto sourcetype="pan:threat" type=threat (threat_name="SCAN: TCP Port Scan(8001)” OR threat_name=“SCAN: Host Sweep(8002)”)
(src_zone!="Inet-WAN1" AND src_zone!="Inet-WAN2")
(dest_zone!="Inet-WAN1" AND dest_zone!="Inet-WAN2")
src_ip != xxx
| eval byfield=src_ip . "," . dest_ip . "," . threat_name
| bin _time span=1d
| chart count over _time by byfield