This is better and more flexible option then timewrap in my opinion. Performance ain’t too shabby either. index=foo earliest=-1d latest=now | timechart span=10m count as Current | appendcols appendcols
Port usage for opsec sourcetype
Stats count by port usage index=* sourcetype=opsec | stats count by s_port proto dest dest_svc action product
