_index=security_logs _sourceCategory=fw_security "type=\"traffic\"" AND proto* AND "devid=\"FG200D4Q15811704\""
  | keyvalue regex "=(\w+)" keys "proto"
  | if (proto matches "1", "ICMP", proto) as protocol
  | if (proto matches "6", "TCP", protocol) as protocol
  | if (proto matches "17", "UDP", protocol) as protocol
  | if (proto matches "50", "IPSEC-ESP", protocol) as protocol
  | if (proto matches "51", "IPSEC-AH", protocol) as protocol
  | if (!(proto == "1" OR proto == "6" OR proto == "17" OR proto == "50" OR proto == "51"), "OTHER", protocol) as protocol
  | timeslice by 5m
  | count by _timeslice, protocol
  | order by _count
  | transpose row _timeslice column protocol as *