NetFlows provide the source and destination port.  When a user accesses a web site, the source port is an ephemeral port and the destination port is typically a well-known port such as 443 (https).  When the web server responds to the request, the source port and destination port are reversed.

There are many cases where it is more useful to have a concept of a client port and server port where the ports are not reversed in the response.  This means it has to identify who initiated the transaction.  One way of accomplishing this is documented in the flowlogs-pipleline.

        The seventh rule conn_tracking generates a new field named isNewFlow that contains the contents of the parameters variable only for new entries (first seen in 120 seconds) that match hash of template fields from the input variable.

However, this will only be accurate if sampling is turned off.

A new transformation in the flowlogs-pipeline can add the client port and server port fields.  The UI can then add these columns to the NetFlow table.