how do i find biggest losers and gainer in last 24 hours compared to 24 hours before that, with respect to a variable. E.g total_dataconsumed

I have event data in below format: Sep 15 2017 07:06:07 app=yahoo dataconsumed=50 Sep 15 2017 08:16:07 app=skype dataconsumed=150 Sep 14 2017 10:26:07 app=facebook dataconsumed=10 Sep 14 2017 12:26:07 app=facebook dataconsumed=5 Sep 13 2017 7:26:07 app=yahoo dataconsumed=10 Sep 13 2017 9:26:07 app=skype dataconsumed=50 Sep 12 2017 3:26:07 app=facebook dataconsumed=80 Sep 12 2017 1:26:07 app=facebook dataconsumed=0 For example: for above dataset: ...|if( ((total_dataconsumed by app in last half of time) - (total_dataconsumed by app in fprevious half of time) ) >0, "gainer", "loser") for above sample dataset result would be: app gainer_or_loser dataconsumed ---------------------------------------------------- yahoo gainer 40 skype gainer 100 facebook loser -65