And if you want them all overlayed in a pretty graph...

Otherwise, you can build a series-based chart, newest on the left.

Thanks a lot and really appreciate your patience and effort ,but we dont use timewrap app

I wanted to show a longer-period one as well, as an example. You'll have to modify it slightly to fit your data, but it should be pretty easy to get working.

sourcetype="WinEventLog:Security" earliest=-4w
| timechart count span=1w 
| timewrap w series=short
| eval _time=strftime(_time, "%Y-%m-%d 00:00:00") | eval _time=strptime(_time, "%Y-%m-%d %H:%M:%S")
| stats sum(s*) as s* by _time

There is some tomfoolery going on in there, though, caused by timewrap and Daylight Savings time. I explain below, but that's essentially boilerplate you can paste in on any of them.

The first line is my base search, this will obviously need changed to YOUR search.
Next I timechart it into weekly chunks. I'm just doing count and I'm not using a "by" clause, but you can add those.
We timewrap to get it like you want. Note this is where DST comes in - timewrap seems to chunk into non-DST-handling pieces, so you'd get TWO rows of results not one (try the search up to this point, leaving off the rest, and you'll see what I mean).
To fix the DST-crossover issue, we recalculate _time to be _time without hours using a pair of evals. Since we're rolling up by weeks, it'll hardly matter if you don't have the hours in your "underlying" events.
Then, to actually smash the two rows into one as required, we pipe it through stats (and rename all the sum(s3) fields into just s3).

If you want after this, you could always rename things afterwards, too. ... | rename s0 as "This Week", s1 as "Previous week"

Please give these a try and let us know how well they work - if they do what you need, great! If they do not, then give a bit of detail about what they don't quite do and we can help with those, too!

Hello rich7177,

I have seen your links and read the documentation,but my requirement is a different which is used for comparison,the documentation mostly refers to a timechart command,but I am trying to build a column chart which gives you the comparison of present month compared to the sum of the previous three months and similarly for monday of a week to monday of previous week

If you are comparing equal-sized time frames, timewrap works well. The three examples I link to may have timechart in them, but they are definitely not about timechart. They only use timechart to build some summary information (e.g. your count), but then use timewrap to put that into the shape/format you want.

Let's use your example of comparing this past Monday with the previous Monday.

Here's an example from my own system using a count of my WinEventLog:Security logs and using timewrap.

sourcetype="WinEventLog:Security" earliest=-1w@w 
 | timechart count span=1d 
 | timewrap w 
 | where strftime(_time, "%A") == "Monday"

The first line is just my basic search (which actually goes back more than two weeks because of the timeframe snapping). I could have done something silly like "sum(EventCode)" if I wanted. Line two tells it to timechart a count of events by increments of one day. Then timewrap it on weeks, and finally filters to just those events which happened on Monday.

This gets me a nice little chart (which probably won't line up, but I'm sure you'll figure it out).

_time       latest_week 1week_before
2016-03-28 00:00    48      104

This search can be altered to do month-by-month, week-by-week or other timeframes. Give it a try, if you get started on that but can't figure out some details, post what you have and what it gets you and we can probably help you get the rest.

If you click the "visualization" tab and change it to a column chart, then you'll have a column chart comparing the (in my example) past three Mondays. The links I provided above show a way to filter out the "middle" week.

If you instead mean you want a table oriented up/down instead of left/right, you could use ... | transpose tacked onto the end. But, I don't recommend that unless you actually NEED that, and if that is the case there's a bit more formatting to probably do to it. Just ask if that is actually the case. Please try the others before you go down this route.

Hey vrmandadi,

I can assure you rich is steering you in the correct direction. I have used timewrap to implement custom machine learning algorithms that compare day over day, week over week, month over month.

While general use can be a timechart (people like to see their comparisons in timeseries graphs) you are not limited to timecharts, and remember, for every timechart there is a stats table underneath that can power other vizualizations...the viz you need is truly up to you and your data.

Give it a shot and let us know if you run into issues!

I have to create a dashboard which is bar chart ,which should show the comparison for a particular day this week and compare the same day to the previous week ,similarly for other two also.

I tried something for the month like this

index=*d* sourcetype="abc" earliest=-3mon@mon latest=@mon| chart count by MESSAGE,date_month

does the splunk default time picker has all those?