I've got another issue on the same question..
Some of attributes will take more than one value.
for instance, each vserver will have multiple NICs, the result from the query seems like only take one ip address out of many. Then it will compare the latest result (single value)and result in fieldsChanges on NIC IPs. which consists of array and they are not changed.
I tried to change latest() to values() and sort it by descending on value(). however it still doesn't give me matching results of 2 arrays values for the single fields.

Is there any workaround for it?

I am sure that I am misunderstanding you but let met try to summarize:
The vserver field actually contains an IP Address.
Any server can have multiple NICs (e.g. multiple IP Addresses, or multiple vserver values).
The solution works but you desire that it break out by server, not vserver (IP Address).

If this is correct then the way to handle this is to normalize all IPAddreses to a new field called server and use that field name instead of vserver in the solution. Typically this is done by a lookup that is created from another system such as a CMDB.

its working great. I ve got what I need. Thank you

Is there any reference kb for me to understand this eval ?

if((<<FIELD>> > 1), fieldsChanged . "<<MATCHSTR>>,", fieldsChanged)

It is just foreach:

http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Foreach

This step is stacking up the fields; if the number of values of the field is more than 1, add the field name as a value to the fieldsChanged field.