In the default ES data model "Malware", the "tag" field is extracted for the parent "Malware_Attacks", but it does not contain any values (not even the default "malware" or "attack" used in the "Constraints". They are, however, found in the "tag" field under the children "Allowed_Malware", "Blocked_Malware", and "Quarantined_Malware". In IR, there is a correlation search ("Host With A Recurring Malware Infection"). I created an event type and tag for tagging certain software as "approved_software". It is working and showing in the "tag" field under the 3 children above. The correlation search does not work with calling out the field "Malware_Attacks.tag" as there are no values in this field. I am trying to use "nodename" to call all three of the above children datasets, but I am not sure how to call the individual field "tag" in each of them. Below is the furthest I have gotten where the search works. How do I call the individual fields (i.e. "Allowed_Malware.tag", or "Blocked_Malware.tag") so I can exclude those with a tag "approved_software"?

| tstats summariesonly=true allow_old_summaries=true dc(Malware_Attacks.date) as "day_count",count from datamodel=Malware.Malware_Attacks where nodename=Malware_Attacks.Allowed_Malware by "Malware_Attacks.dest","Malware_Attacks.signature"