Since you're new it's probably best to start with an overview at the link below, noting that the threat framework does the work in the background for you to generate notables for your security data:

https://www.youtube.com/watch?v=NJT-fE35eaY

Splunk allows you to trigger notable events based on threat intel information. Start by configuring the threat intel following the directions here:

https://docs.splunk.com/Documentation/ES/6.6.2/Admin/Addthreatintel

Nearly every threat intel source will reference the EICAR test file, so I would recommend downloading that after setting up the threat intel to verify that the notable fires correctly.

https://www.eicar.org/?page_id=3950

Even if you planned on creating your own lookups, these could be integrated into ES as a new threat intel source to be managed and prioritised along with existing threat intel sources. It's definitely not a case of 'one or the other'

If you wanted to set up a custom search despite what ES provides, and you decided not to use guided mode for the correlation search, my recommendation would be to start with the "Network_Traffic" datamodel to search on the desired dataset, and progress to using tstats to form efficient searches. As long the datamodel references your index appropriately, you're good to go.

If you have everything configured, but don't seem to be getting the results you expect, please provide some additional detail on what you have configured, what tests you've performed, and what results you received.