Hi Guys,

I am trying find changes in office 365 ip address and URL using SPL by comparing results from today to yesterday.
Probably there is an efficient way of doing this too!
 

Script:
index=dp source="rest://Query" earliest=-1d@d latest=now

| stats values(tcpPorts) as tcpPorts_t values(udpPorts) as udpPorts_t values(ips{}) as ips_t by urls{}

|  appendcols

    [search index=dp source="rest://Query" earliest=-2d@d latest=-1d@d

| stats values(tcpPorts) as tcpPorts_y values(udpPorts) as udpPorts_y values(ips{}) as ips_y by  urls{} ]

| eval change=if("tcpPorts_t"="tcpPorts_y" OR "udpPorts_t"="udpPorts_y" or "ips_t"="ips_y", "Change", "No Change")

| join type=left  change

    [search index=dp source="rest://Query" earliest=-1d@d latest=now

| stats values(tcpPorts) as tcpPorts_t values(udpPorts) as udpPorts_t values(urls{}) as urls{}_t by ips{}

|  appendcols

    [search index=dp source="rest://Query" earliest=-2d@d latest=-1d@d

| stats values(tcpPorts) as tcpPorts_y values(udpPorts) as udpPorts_y values(urls{}) as urls{}_y by ips{} ]

| eval change=if("tcpPorts_t"="tcpPorts_y" OR "udpPorts_t"="udpPorts_y" or "urls{}_t"="urls{}_y", "Change", "No Change") ]

| table  change tcpPorts_t tcpPorts_y udpPorts_t udpPorts_y ips_t ips_y urls{}_t urls{}_y

|  sort - change

 
Ip address are appearing ok but getting just 1 value for url. Not too sure if Makemv will help here?