Skip to main content
The series_min function compares two numeric arrays element by element and returns a new array. Each position in the result contains the minimum value between the corresponding elements from the two input arrays. You use series_min when you want to create a lower bound from multiple series, combine baseline metrics with actual values while keeping the smaller value, or merge data from different sources by selecting the lower value at each point. For example, you can compare response times across different servers and keep the lower value at each time point, or create minimum thresholds from multiple sources.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, element-wise minimum comparisons typically require custom logic with eval or foreach. In contrast, APL provides the specialized series_min function to directly compare arrays element by element and return the minimum values.
... | timechart avg(latency) as latency1, avg(latency_backup) as latency2
| eval min_latency = if(latency1 < latency2, latency1, latency2)
In ANSI SQL, you use the LEAST() function to compare scalar values. To compare sequences element-wise, you need window functions or complex joins. In APL, series_min simplifies this by applying the minimum operation across arrays in a single step.
SELECT _time,
       LEAST(t1.req_duration_ms, t2.req_duration_ms) AS min_duration
FROM logs t1
JOIN logs t2
  ON t1._time = t2._time

Usage

Syntax

series_min(array1, array2)

Parameters

ParameterTypeDescription
array1arrayThe first array of numeric values.
array2arrayThe second array of numeric values. Must have the same length as array1.

Returns

An array of numeric values. Each element is the minimum of the corresponding elements from array1 and array2.

Use case examples

  • Log analysis
  • Security logs
You want to create a lower bound by comparing request durations across two different cities and keeping the lower value at each time point.Query
['sample-http-logs']
| take 50
| make-series london_avg = avgif(req_duration_ms, ['geo.city'] == 'London'),
             paris_avg = avgif(req_duration_ms, ['geo.city'] == 'Paris')
             on _time step 1h
| extend min_duration = series_min(london_avg, paris_avg)
Run in PlaygroundOutput
london_avgparis_avgmin_duration
[120, 150, 100][180, 130, 190][120, 130, 100]
This query compares response times between two cities and creates a series containing the lower value at each time point.
  • series_max: Compares two arrays and returns the maximum value at each position.
  • series_less: Compares two arrays and returns true where elements in the first array are less than the second.
  • series_greater: Compares two arrays and returns true where the first array element is greater than the second.
  • min: Aggregation function that returns the minimum value across grouped records.