Skip to main content
The series_sign function returns the sign of each element in a numeric dynamic array (series). The function returns -1 for negative numbers, 0 for zero, and 1 for positive numbers. You can use series_sign when you need to identify the direction or polarity of values in time-series data. This is particularly useful for detecting changes in trends, classifying values by their sign, or preparing data for further analysis where only the direction matters, not the magnitude.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you typically implement sign detection using conditional statements with eval. In APL, series_sign provides a built-in function that operates on entire arrays efficiently.
... | eval sign=case(value>0, 1, value<0, -1, true(), 0)
In SQL, you use the SIGN() function to determine the sign of individual values. In APL, series_sign applies this operation element-wise across entire arrays.
SELECT SIGN(value) AS sign_value
FROM measurements;

Usage

Syntax

series_sign(array)

Parameters

ParameterTypeDescription
arraydynamicA dynamic array of numeric values.

Returns

A dynamic array where each element is:
  • -1 if the corresponding input element is negative
  • 0 if the corresponding input element is zero
  • 1 if the corresponding input element is positive

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
In log analysis, you can use series_sign to detect whether request durations are above or below a baseline by first subtracting the baseline, then examining the sign.Query
['sample-http-logs']
| summarize durations = make_list(req_duration_ms) by id
| extend baseline = 100
| extend deviations = series_subtract(durations, dynamic([100, 100, 100, 100, 100]))
| extend trend = series_sign(deviations)
| take 5
Run in PlaygroundOutput
iddurationsdeviationstrend
u123[120, 95, 105, 80, 110][20, -5, 5, -20, 10][1, -1, 1, -1, 1]
u456[85, 100, 90, 105, 95][-15, 0, -10, 5, -5][-1, 0, -1, 1, -1]
This query calculates deviations from a baseline and uses series_sign to classify whether each request was slower (1), faster (-1), or equal (0) to the baseline.
  • series_abs: Returns the absolute value of each element. Use when you need magnitude without direction information.
  • series_subtract: Performs element-wise subtraction. Often used before series_sign to compute deviations from baselines.
  • series_greater: Returns boolean comparison results. Use when you need explicit comparison against a threshold.
  • series_less: Returns boolean comparison results. Use for direct comparison instead of sign-based classification.