As a simple test you can do something like the following:

|makeresults | eval domain="mybaddomain.com" | eval description="my rad descrition" | eval weight=10 | table description, domain, weight | outputlookup append=T local_domain_intel

That will write a line with your bad domain and associated description to the local lookup. From there go to the threat artifacts page (ESS>Security Intelligence>Threat Intelligence>Threat Artifacts)
https://:8000/en-US/app/SplunkEnterpriseSecuritySuite/threat_artifacts
And then in the dropdown for "Threat Group" select "local_domain_intel". Your values should show up there.
Now at this point, the threat matching correlation search will fire when it sees that domain in your logs, such as proxy logs, etc.

local_domain_intel would be were you want to put your own domains. You should not need to be rebuild the threat activity datamodel. It is important to understand how the threat intel framework works. Check for your domain in the threat artifact dashboard and verify it is in the domain intelligence panel. This will provide assurance that it loaded properly. The threat intelligence audit dashboard can provide insight into this as well.

There are some additional threat generation searches that will run that will compare new events coming into the system to the threat intel that you have. Those matches are what is written into the threat activity data model and are also triggered via the correlation search. The maintenance searches run on intervals that are defined in the system so that might be another thing to tweak.

If you are looking to add a domain and then look at historical data, that is not the best mechanism to do that. You would want to do a search against the data in question and leverage a lookup, a subsearch could be used for this if you have more than a couple of domains to search against.