Skip to main content
The series_max function compares two numeric arrays element by element and returns a new array. Each position in the result contains the maximum value between the corresponding elements from the two input arrays. You use series_max when you want to create an envelope or upper bound from multiple series, combine baseline metrics with actual values, or merge data from different sources by keeping the higher value at each point. For example, you can compare response times across different servers and keep the higher value at each time point, or combine SLA thresholds with actual measurements.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, element-wise maximum comparisons typically require custom logic with eval or foreach. In contrast, APL provides the specialized series_max function to directly compare arrays element by element and return the maximum values.
... | timechart avg(cpu_usage) as cpu1, avg(cpu_usage_backup) as cpu2
| eval max_cpu = if(cpu1 > cpu2, cpu1, cpu2)
In ANSI SQL, you use the GREATEST() function to compare scalar values. To compare sequences element-wise, you need window functions or complex joins. In APL, series_max simplifies this by applying the maximum operation across arrays in a single step.
SELECT _time,
       GREATEST(t1.req_duration_ms, t2.req_duration_ms) AS max_duration
FROM logs t1
JOIN logs t2
  ON t1._time = t2._time

Usage

Syntax

series_max(array1, array2)

Parameters

ParameterTypeDescription
array1arrayThe first array of numeric values.
array2arrayThe second array of numeric values. Must have the same length as array1.

Returns

An array of numeric values. Each element is the maximum of the corresponding elements from array1 and array2.

Use case examples

  • Log analysis
  • Security logs
You want to create an upper bound by comparing request durations across two different cities and keeping the higher value at each time point.Query
['sample-http-logs']
| take 50
| make-series london_avg = avgif(req_duration_ms, ['geo.city'] == 'London'),
             paris_avg = avgif(req_duration_ms, ['geo.city'] == 'Paris')
             on _time step 1h
| extend max_duration = series_max(london_avg, paris_avg)
Run in PlaygroundOutput
london_avgparis_avgmax_duration
[120, 150, 100][180, 130, 190][180, 150, 190]
This query compares response times between two cities and creates a series containing the higher value at each time point.
  • series_min: Compares two arrays and returns the minimum value at each position.
  • series_less: Compares two arrays and returns true where elements in the first array are less than the second.
  • series_greater: Compares two arrays and returns true where the first array element is greater than the second.
  • max: Aggregation function that returns the maximum value across grouped records.