"index=azure_cost_management earliest=-1mon@mon latest=@mon
| eventstats sum(CostInBillingCurrency) as PreviousMonthActualCost 
| head 1
| table PreviousMonthActualCost, SubscriptionName 
| join type=inner SubscriptionName 
    [| inputlookup MyAzureSubscription-forecast_cost.csv 
     | stats sum(Cost) as CurrentMonthForecastCost by SubscriptionName
     | table CurrentMonthForecastCost, SubscriptionName]
| eval Difference=PreviousMonthActualCost - CurrentMonthForecastCost
| table PreviousMonthActualCost, CurrentMonthForecastCost, Difference,SubscriptionName" 

Here Actual Cost and Forecast Cost are retrieved using Different APIs from Azure Cost Management

Following search would be the easiest solution but based on your data retention policies and amount of events  it may make sense to use a summary index or a lookup as you already do it.

index=azure_cost_management earliest=-6mon@mon latest=@mon
 | timechart span=1month sum(CostInBillingCurrency) by SubscriptionName

To split by SubscriptionName use Trellis as described here: Use trellis layout to split visualizations - Splunk Documentation

The above query helps, but it compares the actual cost of Current Month with Previous Month. I wanted to compare the actual cost of Previous Month and Forecasted Cost of Current Month. Here Actual Cost Data is retrieved from the index and forecasted cost is retrieved from the lookup. Any suggestions on how can I edit the query to get the desired output

The above query is not working as expected. My Lookup Looks Like this and in my index the Date field  is in ("%m/%d/%Y" - 02/01/2023). The _time uses the filed Date during indexing

I edited my previous post and added strptime command. Please check it again.

Thanks Paul. It works. I truly appreciate your help.  Is there any way to show the former value instead of the later one in the visualization