Skip to main content
The series_stats function computes comprehensive statistical measures for a numeric dynamic array (series), returning an array with seven elements containing minimum, maximum, average, variance, standard deviation, and the positions of minimum and maximum values. You can use series_stats when you need a complete statistical summary of time-series data in a single operation. This is particularly useful for understanding data distribution, identifying outliers, calculating confidence intervals, or performing comprehensive data quality assessments without running multiple separate aggregations.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you typically use multiple stats functions to calculate different statistics. In APL, series_stats provides all common statistics in a single operation on array data, returning them as a 7-element array.
... | stats min(value) as min_val, max(value) as max_val, 
    avg(value) as avg_val, stdev(value) as stdev_val by user
In SQL, you calculate multiple aggregate functions separately. In APL, series_stats provides all these statistics in a single function call on array data, returned as a 7-element array.
SELECT 
    MIN(value) as min_val,
    MAX(value) as max_val,
    AVG(value) as avg_val,
    STDDEV(value) as std_val
FROM measurements
GROUP BY user_id;

Usage

Syntax

series_stats(array)

Parameters

ParameterTypeDescription
arraydynamicA dynamic array of numeric values.

Returns

An array with seven numeric elements in the following order:
IndexStatisticDescription
0minThe minimum value in the input array.
1min_idxThe first position of the minimum value in the array.
2maxThe maximum value in the input array.
3max_idxThe first position of the maximum value in the array.
4avgThe average value of the input array.
5varianceThe sample variance of the input array.
6stdevThe sample standard deviation of the input array.

Use case examples

  • Log analysis
  • Security logs
In log analysis, you can use series_stats to get a comprehensive statistical summary of request durations for each user, helping identify performance patterns and outliers.Query
['sample-http-logs']
| summarize durations = make_list(req_duration_ms) by id
| extend stats_array = series_stats(durations)
| project id, 
    min_duration = stats_array[0],
    max_duration = stats_array[2],
    avg_duration = stats_array[4],
    stdev_duration = stats_array[6]
| take 5
Run in PlaygroundOutput
idmin_durationmax_durationavg_durationstdev_duration
u123152459545.2
u45681897838.7
This query calculates comprehensive statistics for each user’s request durations by extracting specific elements from the 7-element stats array.
  • series_stats_dynamic: Returns the same statistics as a dynamic object with named properties instead of an array.
  • series_max: Compares two arrays element-wise and returns the maximum values.
  • series_min: Compares two arrays element-wise and returns the minimum values.
  • avg: Aggregation function for calculating averages across rows.
  • stdev: Aggregation function for standard deviation across rows.