Use the compare command to compare metrics generated in link analysis to the previous time windows.

Following example query compares the data transfer between two IPs across previous four days by using the compare command:

'Log Source' = 'OCI VCN Flow Unified Schema Logs'
| eval 'Bytes Transferred' = unit('Content Size Out', byte)
| link Time, 'Source IP', 'Destination IP'
| stats sum('Bytes Transferred') as 'Transfer Size' 
| compare fields = 'Transfer Size' timeshift = -1day count = 4

The resulting histogram chart that indicates the comparison: