Skip to main content
The series_subtract function performs element-wise subtraction between two numeric dynamic arrays (series). Each element in the first series is subtracted by the corresponding element at the same position in the second series. You can use series_subtract when you need to compute differences between two time-series datasets. This is particularly useful for calculating deltas, deviations from baselines, changes over time, or comparing metrics between different groups or time periods.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you typically use the eval command with the subtraction operator to calculate differences between fields. In APL, series_subtract operates on entire arrays at once, performing element-wise subtraction efficiently.
... | eval difference=value1 - value2
In SQL, you subtract values using the - operator on individual columns. In APL, series_subtract performs element-wise subtraction across entire arrays stored in single columns.
SELECT value1 - value2 AS difference
FROM measurements;

Usage

Syntax

series_subtract(series1, series2)

Parameters

ParameterTypeDescription
series1dynamicA dynamic array of numeric values (minuend).
series2dynamicA dynamic array of numeric values (subtrahend).

Returns

A dynamic array where each element is the result of subtracting the corresponding element of series2 from series1. If the arrays have different lengths, the shorter array is extended with null values.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
In log analysis, you can use series_subtract to calculate the difference between current and baseline request durations, helping identify performance degradations.Query
['sample-http-logs']
| summarize current = make_list(req_duration_ms) by ['geo.city']
| extend baseline = dynamic([50, 55, 48, 52, 49])
| extend delta = series_subtract(current, baseline)
| take 5
Run in PlaygroundOutput
geo.citycurrentbaselinedelta
Seattle[60, 65, 58, 62, 59][50, 55, 48, 52, 49][10, 10, 10, 10, 10]
Portland[45, 50, 43, 47, 44][50, 55, 48, 52, 49][-5, -5, -5, -5, -5]
This query calculates the difference between current request durations and baseline values, showing performance changes per city.
  • series_multiply: Performs element-wise multiplication of two series. Use when you need to multiply rather than subtract.
  • series_abs: Returns the absolute value of each element. Use after subtraction to get magnitude of differences.
  • series_stats: Returns statistical summary of a series. Use to analyze the result of subtraction operations.
  • series_sign: Returns the sign of each element. Use after subtraction to determine direction of changes.