https://community.splunk.com/t5/Splunk-Search/timechart-average-out-value-over-missing-time/m-p/284372#M85984 <P>I have bills that come in at irregular periods. Here is an example for 1 type:</P> <PRE><CODE>{name:building1Water, startDate:2015-12-30, Cost:300} {name:building1Water, startDate:2015-09-30, Cost:100} {name:building1Water, startDate:2015-08-30, Cost:100} </CODE></PRE> <P>In this example, the bill for 2015-12-30 covers the months of December ($100) , November($100), and October($100). I would like to average out the Cost over the missing months. What would be the timechart syntax for this?</P> <P>I would like to see:</P> <PRE><CODE> 2015-12 building1Water 100 2015-11 building1Water 100 2015-10 building1Water 100 2015-09 building1Water 100 2015-08 building1Water 100 </CODE></PRE> Tue, 31 May 2016 14:07:01 GMT suarezry 2016-05-31T14:07:01Z https://community.splunk.com/t5/Splunk-Search/timechart-average-out-value-over-missing-time/m-p/284372#M85984 <P>I have bills that come in at irregular periods. Here is an example for 1 type:</P> <PRE><CODE>{name:building1Water, startDate:2015-12-30, Cost:300} {name:building1Water, startDate:2015-09-30, Cost:100} {name:building1Water, startDate:2015-08-30, Cost:100} </CODE></PRE> <P>In this example, the bill for 2015-12-30 covers the months of December ($100) , November($100), and October($100). I would like to average out the Cost over the missing months. What would be the timechart syntax for this?</P> <P>I would like to see:</P> <PRE><CODE> 2015-12 building1Water 100 2015-11 building1Water 100 2015-10 building1Water 100 2015-09 building1Water 100 2015-08 building1Water 100 </CODE></PRE> Tue, 31 May 2016 14:07:01 GMT https://community.splunk.com/t5/Splunk-Search/timechart-average-out-value-over-missing-time/m-p/284372#M85984 suarezry 2016-05-31T14:07:01Z https://community.splunk.com/t5/Splunk-Search/timechart-average-out-value-over-missing-time/m-p/284373#M85985 <P>What are you expecting to see as a resulting dataset to graph?</P> Tue, 31 May 2016 14:14:44 GMT https://community.splunk.com/t5/Splunk-Search/timechart-average-out-value-over-missing-time/m-p/284373#M85985 woodcock 2016-05-31T14:14:44Z https://community.splunk.com/t5/Splunk-Search/timechart-average-out-value-over-missing-time/m-p/284374#M85986 <P>Thanks woodcock. I have updated my question to indicate what I would like to see.</P> Tue, 31 May 2016 14:34:21 GMT https://community.splunk.com/t5/Splunk-Search/timechart-average-out-value-over-missing-time/m-p/284374#M85986 suarezry 2016-05-31T14:34:21Z https://community.splunk.com/t5/Splunk-Search/timechart-average-out-value-over-missing-time/m-p/284375#M85987 <P>Try like this (assuming _time is set based on startDate field)</P> <PRE><CODE>your base search | timechart span=1mon values(Cost) as Cost | streamstats current=f window=1 values(_time) as prev_time | eval days=(strftime(_time,"%m")-strftime(prev_time,"%m") | eval Cost=Cost/days | eval temp=mvrange(0,days,1) | mvexpand temp | eval _time=relative_time(_time,"-".temp."mon@mon") | table _time Cost </CODE></PRE> Tue, 31 May 2016 15:01:36 GMT https://community.splunk.com/t5/Splunk-Search/timechart-average-out-value-over-missing-time/m-p/284375#M85987 somesoni2 2016-05-31T15:01:36Z https://community.splunk.com/t5/Splunk-Search/timechart-average-out-value-over-missing-time/m-p/284376#M85988 <P>That is exactly what I needed! timechart the cost per day! modifying _time with relative_time was new to me. Thank you!</P> Tue, 29 Sep 2020 09:50:45 GMT https://community.splunk.com/t5/Splunk-Search/timechart-average-out-value-over-missing-time/m-p/284376#M85988 suarezry 2020-09-29T09:50:45Z