My goal is to make a report that has running total (cumulative) data across years. Current year data is queried from Splunk while prior year data is all housed in a lookup (called TY19_Splunk_total_data.csv).

My issue is that this report will be on a dashboard that has date range selectors. When the date range is selected, the streamstats works correctly for current year data (since it isolates the data from dates selected in the range THEN adds) but not for prior year data because I don't know how to restrict data in the inputlookup by "date" + 1 yr while at the same time, having the tokens apply to my base splunk search.

Hopefully that makes sense... here's the query I'm working with

    [base query] year=<current_year>
    | timechart span=1d dc(intuit_tid) as current_year_data
    | streamstats sum(current_year_data) as current_year_data
    | eval time=strftime(_time,"%m-%d")
    | join time
    [| inputlookup TY19_Splunk_total_data.csv
    | eval token_time=relative_time(strptime(time,"%m/%d/%Y"),"+1y")
    | where capability="W2" and token_time>=$time.earliest$ and token_time<$time.latest$
    | eval time=strftime(strptime(time,"%m/%d/%Y"),"%m-%d")
    | stats sum(attempts) as prior_year_data by time
    | streamstats sum(prior_year_data ) as prior_year_data
    | fields time prior_year_data ]
    | fields time current_year_data prior_year_data
    | fields - _time