https://community.splunk.com/t5/Splunk-Search/Overlaying-a-previous-years-data-on-chart/m-p/419153#M120499 <P>If you are using Splunk 6.5 or higher, the <CODE>timewrap</CODE> function should be available and does exactly this. </P> <P><A href="https://answers.splunk.com/answers/468177/is-timewrap-an-official-spl-command-in-splunk-65.html">https://answers.splunk.com/answers/468177/is-timewrap-an-official-spl-command-in-splunk-65.html</A></P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Timewrap">https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Timewrap</A></P> <P>You would first summarize your data using timechart, then use timewrap in the next pipe.</P> <P><CODE>|timechart span=1m sum(my_field) | timewrap span=1y</CODE></P> <P>The above should give you a year-over-year chart by month.</P> Mon, 06 Aug 2018 12:35:30 GMT grittonc 2018-08-06T12:35:30Z https://community.splunk.com/t5/Splunk-Search/Overlaying-a-previous-years-data-on-chart/m-p/419149#M120495 <P>I am displaying some data by Month for 2018/2019 (i.e. 01-2018, 02-2018) on a barchart.</P> <P>Search Query:<BR /> ( sourcetype=sourcetype1) OR (sourcetype=sourcetype2) OR (sourcetype=sourcetype3)<BR /> | chart sum(eval(if(sourcetype="sourcetype1",ICOS,NULL))) as Actuals sum(eval(if(sourcetype="sourcetype2",ICOS,NULL))) as Forecast sum(eval(if(sourcetype="sourcetype3",ICOS,NULL))) as Budget over "Month"</P> <P>However I also want to be able to overlay 2017 data so that 2017-01 is shown above 2018-01 without adding to the x-axis.</P> <P>Any ideas how I could do that?</P> Tue, 03 Jul 2018 15:35:24 GMT https://community.splunk.com/t5/Splunk-Search/Overlaying-a-previous-years-data-on-chart/m-p/419149#M120495 jackreeves 2018-07-03T15:35:24Z https://community.splunk.com/t5/Splunk-Search/Overlaying-a-previous-years-data-on-chart/m-p/419150#M120496 <P>Here is a technique from <A href="https://www.splunk.com/pdfs/exploring-splunk.pdf">Exploring Splunk</A> by David Carasso. I recommend downloading this since it has several good examples in it. This search shows how to compare last weeks results to this weeks results on the same chart, by labeling data from last week and this week, then adjusting _time so they line up for charting.</P> <PRE><CODE>earliest=-2w@w latest=@w | eval marker = if (_time &lt; relative_time(now(), “-1w@w”), “last week”, “this week”) | eval _time = if (marker==”last week”, _time + 7*24*60*60, _time) | timechart avg(bytes) by marker </CODE></PRE> Tue, 03 Jul 2018 15:47:40 GMT https://community.splunk.com/t5/Splunk-Search/Overlaying-a-previous-years-data-on-chart/m-p/419150#M120496 kmorris_splunk 2018-07-03T15:47:40Z https://community.splunk.com/t5/Splunk-Search/Overlaying-a-previous-years-data-on-chart/m-p/419151#M120497 <P>Thanks for the response. The pdf is very interesting.</P> <P>I believe this would be quite messy when you try and apply across 12 months. Any alternatives?</P> Wed, 04 Jul 2018 14:49:19 GMT https://community.splunk.com/t5/Splunk-Search/Overlaying-a-previous-years-data-on-chart/m-p/419151#M120497 jackreeves 2018-07-04T14:49:19Z https://community.splunk.com/t5/Splunk-Search/Overlaying-a-previous-years-data-on-chart/m-p/419152#M120498 <P>Added below to search and has worked <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> <CODE>| appendcols <BR /> [ search index=finance sourcetype=hfm_actuals Country1="EMEIA" AND Organisation="DTS_DWS" "Financial Year ending"=2018 <BR /> | eval _time=relative_time((_time),"+1year") <BR /> | chart sum(ICOS) as "FY18 Actuals" over Month]</CODE></P> Wed, 04 Jul 2018 15:30:01 GMT https://community.splunk.com/t5/Splunk-Search/Overlaying-a-previous-years-data-on-chart/m-p/419152#M120498 jackreeves 2018-07-04T15:30:01Z https://community.splunk.com/t5/Splunk-Search/Overlaying-a-previous-years-data-on-chart/m-p/419153#M120499 <P>If you are using Splunk 6.5 or higher, the <CODE>timewrap</CODE> function should be available and does exactly this. </P> <P><A href="https://answers.splunk.com/answers/468177/is-timewrap-an-official-spl-command-in-splunk-65.html">https://answers.splunk.com/answers/468177/is-timewrap-an-official-spl-command-in-splunk-65.html</A></P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Timewrap">https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Timewrap</A></P> <P>You would first summarize your data using timechart, then use timewrap in the next pipe.</P> <P><CODE>|timechart span=1m sum(my_field) | timewrap span=1y</CODE></P> <P>The above should give you a year-over-year chart by month.</P> Mon, 06 Aug 2018 12:35:30 GMT https://community.splunk.com/t5/Splunk-Search/Overlaying-a-previous-years-data-on-chart/m-p/419153#M120499 grittonc 2018-08-06T12:35:30Z