With your additional suggestion of MVEXPAND, I learned about those functions and was able to finally make it work as I wanted. Thanks so much for the help!!
This query splits the multi-value fields of 'Server', 'serviceAcct', and 'ark_time' into separate fields that can then be compared/sorted.
'Server' is pulled from a field (servcon) that looks like this: " (Action: Connect)(Connection to address: servername1234)"
The multi-value fields are combined into combinedFields
combinedFields is then mvexpanded to created additional records
The data goes from this:
User, Server, serviceAcct, ark_time, Orig_time
Some.Guy@nowhere.com, server1234 server2234 server3234 server4234 server5234, PROD_4, PROD_4, PROD_5, PROD_4, PROD_3, 07/11/2018 14:29:00 07/24/2018 09:44:49 07/24/2018 11:13:51 07/10/2018 15:45:41 07/10/2018 15:45:41, 07/24/2018 09:26:00
To this:
User, Server, serviceAcct, ark_time, Orig_time
Some.Guy@nowhere.com, server1234, PROD_4, 07/11/2018 14:29:00, 07/24/2018 09:26:00
Some.Guy@nowhere.com, server2234, PROD_4, 07/24/2018 09:44:49 , 07/24/2018 09:26:00
Some.Guy@nowhere.com, server3234, PROD_5, 07/24/2018 11:13:51 , 07/24/2018 09:26:00
etc
Here is the completed query for future reference:
| rename OVW_Value1 as serverRequested, OVW_Value2 as userName, OVW_Value3 as requestDate, OVW_Value4 as requestHour, OVW_Value5 as Orig_time, USR_EMAIL1 as email
| lookup ark_admin User as email OUTPUTNEW "Server Connection" AS servcon "Service Account" AS serviceAcct Time AS ark_time
| rex field=servcon "address: (?<Server>[^)]+)"
| eval EndTime = strftime(relative_time(strptime(Orig_time, "%m/%d/%Y %H:%M:%S"),"+72h"),"%m/%d/%Y %H:%M:%S")
| eval combinedFields= mvzip (mvzip (Server,serviceAcct),ark_time)
| mvexpand combinedFields
| rex field=fields1 "(?<serverAccessed>\w+),(?<serviceAcctUsed>\w+),(?<serverTimeAccessed>\d+\D\d+\D\d+\D\S\d+\D\d+\D\d+)"
| where strptime(serverTimeAccessed, "%m/%d/%Y %H:%M:%S") > strptime(Orig_time, "%m/%d/%Y %H:%M:%S") and strptime(serverTimeAccessed, "%m/%d/%Y %H:%M:%S") <= relative_time(strptime(Orig_time, "%m/%d/%Y %H:%M:%S"),"+72h")
| table email userName serverRequested serverTimeAccessed serviceAcctUsed serverAccessed Orig_time EndTime
| sort +serverTimeAccessed
... View more