I have data that is extracted from log events by multiple neighbor pairs. I would like to extract deltas on an integer field tableversion, but only among the same neighbor pair Streamstats was suggested for deltas with a ‘by’ clause. In my example below, the first line delta is empty as expected, and the 2nd line delta is correct. All deltas in later lines are incorrect. How do I make streamstats only look at the previous entry?

index=network_internal source="bgp.log" "BGP Queue" 
| eval neighborpair=host + ":" + neighbor
| sort neighborpair,timestamp
| streamstats window=2 global=f current=f first(tableversion) as tableversion_prev by neighborpair
| eval delta=tableversion-tableversion_prev
| table timestamp neighborpair neighborstate nsrstate tableversion delta inq outq prefixes