1 - Splunk Community

Splunk Enterprise

1

Try something like this

|eval duration_range=mvrange(0, duration + duration%3600, 3600)
| eval duration = 1
|mvexpand duration_range
|eval _time=_time-duration_range
|timechart span=1h max(duration) by dvc

1

Assuming dvc is the ip address you mentioned and duration is reset to 1 after determining a range, how can the max be anything other than 1?

1

Please share the search you are using and the results and explain why this is not what you are expecting

1

You asked a question, I gave you a suggestion, you have completely ignored my suggestion. Please try what I suggested and share your results.

Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...