@bravosec1 Based on the query you provided, you are joining data from two different sourcetypes when they share dstip , then doing a stats count by.
| join dstip
[search index=main sourcetype="threat_lists" ]
| stats count by date, user, srcip, dstip, ETmsg
To convert this to a correlated search, we would need to know what data model these are going to and which fields in your original search map to which datamodel fields
... View more