Skip to main content
The series_less function compares two numeric arrays element by element and returns a Boolean array. Each position in the result contains true if the element in the first array is less than the corresponding element in the second array, and false otherwise. You use series_less when you want to evaluate trends across sequences of numeric values. It’s especially useful in time series analysis, anomaly detection, or comparing metrics side by side. For example, you can check if response times are decreasing compared to a baseline or if one service consistently performs faster than another.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, comparisons across series typically rely on eval with conditional expressions or custom logic in combination with timechart. In contrast, APL provides specialized series_* functions like series_less to directly compare arrays element by element.
... | timechart avg(req_duration_ms) as avg_dur 
| eval faster = if(avg_dur < 200, true, false)
In ANSI SQL, you normally compare scalar values rather than arrays. To compare sequences, you need to join tables with offsets or use window functions. In APL, series_less simplifies this by applying the comparison across arrays in a single step.
SELECT t1._time,
       CASE WHEN t1.req_duration_ms < t2.req_duration_ms THEN true ELSE false END AS is_less
FROM logs t1
JOIN logs t2
  ON t1._time = t2._time

Usage

Syntax

series_less(array1, array2)

Parameters

ParameterTypeDescription
array1arrayThe first array of numeric values.
array2arrayThe second array of numeric values. Must have the same length as array1.

Returns

An array of Boolean values. Each element is true if the corresponding element in array1 is less than the element in array2, otherwise false.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
You want to check whether the average request duration in each city is less than a fixed threshold of 150 milliseconds.Query
['sample-http-logs'] | take 50 | make-series city_avg = avg(req_duration_ms) on _time step 1h by ['geo.city'] | extend threshold = dynamic([150, 150, 150]) | extend is_less = series_less(city_avg, threshold)
Run in PlaygroundOutput
geo.citycity_avgthresholdis_less
London[120, 90, 100][150, 150, 150][true, true, true]
Paris[180, 200, 190][150, 150, 150][false, false, false]
This query shows whether each city’s request duration stays below a 150 ms threshold at each time step.
  • series_greater_equals: Compares two arrays and returns true when elements in the first array are greater than or equal to the second array.
  • series_greater: Compares two arrays and returns true where the first array element is greater than the second.
  • series_less_equals: Compares two arrays and returns true where the first array element is less than or equal to the second.
  • series_not_equals: Compares two arrays and returns true where elements aren’t equal.