Trying to chart ONLY the reprocessed cartons.

(Data coming from a PLC Conveyor system.) I'm trying to show how many cartons were RE-processed manually, each day, during the last 7 days. My first thought, was to subtract count(SCarton)-dc(SCarton) in some sort of eval. (But days of attempts have shown no luck. Neither by direct subtraction, nor subtraction in an eval, nor subtraction in an eval to variables, before the charting.) I settled on the following . . . Weekday Carton Countsource=tcp:5002 Quality!="bad" "Station_Print_Label" | timechart span=1d count(SCarton),dc(SCarton) -7d@dareaundefined At least I can visually see the blue "count" peaks, whenever they exceed the yellow "dc" baseline. Then hover over them for the #'s. I wish it were ONLY the difference, and, even what I have, I now suspect isn't what I want. For spans of 1d, then if a carton is put back, it's probably put back in the same day. But if this were 5min spans . . . its entirely possible that a carton that first printed in the previous bucket, appears to be unique in the next bucket. So no difference would appear, since the reentry appears in a subsequent bucket. I've spent days looking. Two major factors hurting me, are A: I'm unclear what's passed via the pipe? Is it a table? Is it matching events left over from any previous comparisons? Is it the sum of all human knowledge? And B: what is the output of an eval? Is it a single scalar value? Is it processed events? Is it a table? Can I even use some sort of eval to subtract dc from count for a given bucket? If this were C or better Perl . . . I could sweep all the (time sorted) cartons passing the Print Station, and for any serial # I encounter, that has been seen before, I accumulate output for that time bucket, as I now know it's a duplicate. When I reach the end of any time bucket, I'd print the total obtained, and reset the counter to 0 for the next bucket. But I'm just at a loss how (or if) such a simple comparison (and its chart) is possible in Splunk. Any pointers would be appreciated.