OQL is seperated into two parts within a basic query in HUNT or DASHBOARDS. They are separated by the pipe or | symbol. Left of the pipe is OQL based on Lucerne query syntax. This is where you would put message:"dstport=3389". But in this case I would not suggest using the message block because the data is parsed from that into other fields value pairs. Instead use destination.port:3389.

Right side of | is where you would perform data aggregation or transformation. This is where for example I want to see data aggregated by destination ip and destination port. You would use groupby destination.ip destination.port. You could even expand it further by performing groupby source.ip source.port destination.ip destination.port.

So effectively a proper query with DA&T would look something like this:

Destination.port:3389 | groupby source.ip source.port destination.ip destination.port

You can add additional separate DA&T by adding another separator | and looking at other fields of interests. For example maybe you would want to see what the data sources are you could do:

Destination.port:3389 | groupby source.ip source.port destination.ip destination.port | groupby event.module event.dataset event.code

For more information see the SecOnion read the docs page on Dashboards and scroll down to OQL.

https://docs.securityonion.net/en/2.4/dashboards.html

Hope that helps.