For example.
I make a correlation search like:

|from datamodel:"Intrusion_Detection"
|eval type=signature+src+dest+dvc
|where severity="high"
|eval status_group="threat"
|stats latest(_time) as _time,values(host) as host,values(id) as id,values(severity) as severity,values(signature) as signature,values(src) as src,values(dest) as dest,values(dvc) as dvc,values(status) as status,values(status_group) as status_group,values(owner) as owner,values(governance) as governance,values(control) as control,values(action) as action count by type
|fillnull value="unknown" src,dest,dvc,governance,control,status,owner,status_group,host,action,user
|where count>10
| table _time,host,severity,signature,src,dest,dvc,status,status_group,owner,governance,control,count,action,id

And now, I want to find the original events of this correlation search. maybe like:

2018-09-11 10:56:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:56:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:57:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 11:33:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 11:20:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:43:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:48:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:47:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:59:00,172.18.1.1,critical,SQL Injection,10.0.0.2
2018-09-11 10:50:00,172.18.1.1,critical,SQL Injection,10.0.0.2*

How can I do this?