Hi Guys, I am trying find changes in office 365 ip address and URL using SPL by comparing results from today to yesterday. Probably there is an efficient way of doing this too! Script: index=dp source="rest://Query" earliest=-1d@d latest=now | stats values(tcpPorts) as tcpPorts_t values(udpPorts) as udpPorts_t values(ips{}) as ips_t by urls{} | appendcols [search index=dp source="rest://Query" earliest=-2d@d latest=-1d@d | stats values(tcpPorts) as tcpPorts_y values(udpPorts) as udpPorts_y values(ips{}) as ips_y by urls{} ] | eval change=if("tcpPorts_t"="tcpPorts_y" OR "udpPorts_t"="udpPorts_y" or "ips_t"="ips_y", "Change", "No Change") | join type=left change [search index=dp source="rest://Query" earliest=-1d@d latest=now | stats values(tcpPorts) as tcpPorts_t values(udpPorts) as udpPorts_t values(urls{}) as urls{}_t by ips{} | appendcols [search index=dp source="rest://Query" earliest=-2d@d latest=-1d@d | stats values(tcpPorts) as tcpPorts_y values(udpPorts) as udpPorts_y values(urls{}) as urls{}_y by ips{} ] | eval change=if("tcpPorts_t"="tcpPorts_y" OR "udpPorts_t"="udpPorts_y" or "urls{}_t"="urls{}_y", "Change", "No Change") ] | table change tcpPorts_t tcpPorts_y udpPorts_t udpPorts_y ips_t ips_y urls{}_t urls{}_y | sort - change Ip address are appearing ok but getting just 1 value for url. Not too sure if Makemv will help here? Labels
... View more
