Create a lookup called AppPortLookup which has entries like this:
app port
ssl 443,8443
http 80,443
Then, you can do something like this:
| tstats summariesonly=true count min(_time) AS firstTime max(_time) AS lastTime
FROM datamodel=Network_Traffic
WHERE
[|inputlookup AppPortLookup
| rename app AS All_Traffic.app
| rename port AS All_Traffic.dest_port
| format
| rex field=search mode=sed "s/AND \"All_Traffic.dest_port\"=/AND NOT \"All_Traffic.dest_port\" IN(/g s/ \) /) ) /g s/,/\",\"/g" ]
BY All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port
... View more