_index=security_logs _sourceCategory=fw_security ("type=utm" AND "action=pass")
  | extract "app=\"(?<appl>.*?)\" "
  | count as count appl
  | sort by count
  | limit 10

_index=security_logs _sourceCategory=fw_security ("type=\"traffic\"" AND "subtype=\"forward\"") AND " app="
| extract " app=\"(?<appl>.*?)\" " 
| toLowerCase(appl) as appl
| parse "sentbyte=* " as bsnt | parse "rcvdbyte=* " as brec
| brec+bsnt as bTot
| timeslice 5m
| sum(btot) as bytes by appl
| (bytes/1073741824) as gbytes
| fields - bytes
| order by gbytes, appl
| limit 10