okay, to give you three events, each with the _time, host, and one of the ports, you can do either of these

| eval myports=mvappend("Port1=".Port1."Port2=".Port2."Port3=".Port3) 
| table _time host myports 
| mvexpand myports 
| rex field=myports "(?<myport>[^=]+)=(?<myvalue>.*)$) 
| eval {myport} = myvalue 
| fields - myports myport myvalue 

This first one gives you a record that looks like | table _time host Port* where Port* is either Port1, Port2 or Port3.

OR

| streamstats count as recno  
| rename _time as time 
| untable recno portname portvalue 
| eventstats min(eval(if(portname="time",portvalue)) as _time min(eval(if(portname="host",portvalue)) as host by recno 
| where portname!="time" AND portname!="host"

This second one gives a record that looks like

| table _time host portname portvalue