Assuming ascending values and events in time order, try something like this
``` Assuming your search gives events in time order ```
``` fill nulls with -1 (so they can be detected after untable) ```
| fillnull value=-1
``` untable so events can be processed by id ```
| untable _time id valLast
``` split off original null fields ```
| eval null=if(valLast=-1,1,0)
| eval valLast=if(valLast=-1,null(),valLast)
``` filldown using max (assumes valLast doesn't decrease) ```
| streamstats max(valLast) as valLast by id
``` find change in valLast and detect start and end of sequence of nulls ```
| streamstats range(valLast) as diff range(null) as nulls window=2 global=f by id
``` count nulls by id ```
| streamstats sum(null) as nullnumber global=f by id
``` calculate null number at start of sequence ```
| eval start=if(null=1 AND nulls=1,nullnumber,null())
``` calculate null number at end of sequence ```
| eval end=if(null=0 AND nulls=1,nullnumber,null())
``` filldown null number by id ```
| streamstats max(start) as start by id
``` calculate number of events to spread the difference over ```
| eval nullsplusone=end-start+1+1
``` spread the difference across nulls and end of sequence ```
| eval diffspread=diff/nullsplusone
``` reverse events ```
| reverse
``` filldown spread diff by id ```
| streamstats last(diffspread) as lastdiff by id
``` calculate new difference based on whether first non-null after a sequence or originally null ```
| eval newdiff=if(isnotnull(end) OR null=1, lastdiff, diff)
``` reverse to original order ```
| reverse
``` rechart by time and id ```
| xyseries _time id newdiff
Comments to hopefully make it clear what's going on
