Skip to main content
The series_iir function applies an Infinite Impulse Response (IIR) filter to a numeric dynamic array (series). This filter processes the input series using coefficients for both the numerator (feedforward) and denominator (feedback) components, creating a filtered output series that incorporates both current and past values. You can use series_iir when you need to apply digital signal processing techniques to time-series data. This is particularly useful for smoothing noisy data, removing high-frequency components, implementing custom filters, or applying frequency-selective transformations to time-series measurements.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, signal processing typically requires external tools or complex manual calculations with streamstats. In APL, series_iir provides built-in digital filtering capabilities for array data.
... | streamstats window=5 avg(value) as smoothed_value
... (limited to basic moving averages)
In SQL, implementing IIR filters requires complex recursive queries or user-defined functions. In APL, series_iir provides this functionality as a built-in operation on array data.
-- Complex recursive CTE required for IIR filtering
WITH RECURSIVE filtered AS (...)
SELECT * FROM filtered;

Usage

Syntax

series_iir(array, numerator, denominator)

Parameters

ParameterTypeDescription
arraydynamicA dynamic array of numeric values (input series).
numeratordynamicA dynamic array of numerator (feedforward) coefficients.
denominatordynamicA dynamic array of denominator (feedback) coefficients.

Returns

A dynamic array containing the filtered output series after applying the IIR filter defined by the numerator and denominator coefficients.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
In log analysis, you can use series_iir to smooth noisy request duration measurements, making trends and patterns more visible.Query
['sample-http-logs']
| summarize durations = make_list(req_duration_ms) by id
| extend smoothed = series_iir(durations, dynamic([0.2, 0.6, 0.2]), dynamic([1.0]))
| take 5
Run in PlaygroundOutput
iddurationssmoothed
u123[50, 120, 45, 200, 60][50, 91, 62, 128, 88]
u456[30, 35, 80, 40, 45][30, 33, 54, 46, 45]
This query applies an IIR filter to smooth request duration measurements, reducing noise while preserving the underlying trend.
  • series_sum: Returns the sum of series elements. Use for simple aggregation instead of filtering.
  • series_stats: Returns statistical measures. Use for statistical analysis instead of signal processing.
  • series_abs: Returns absolute values. Often used after IIR filtering to analyze magnitude.
  • make_series: Creates time-series from tabular data. Often used before applying series_iir for signal processing.