The series_add function performs element-wise addition between two dynamic arrays (series) of numeric values. It adds corresponding elements from both arrays and returns a new array containing the results. This function is useful when you need to combine or aggregate data from multiple time series or when performing mathematical operations across parallel datasets.
You can use series_add when you want to combine metrics from different sources, calculate cumulative values, or perform mathematical transformations on time-series data. Common applications include merging performance metrics, calculating total resource usage, and combining error rates from multiple services.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you typically use the eval command with mathematical operators to add values. However, adding arrays element-wise requires more complex operations. In APL, series_add directly performs element-wise addition on dynamic arrays.
datatable(x: dynamic, y: dynamic)
[
dynamic([1, 2, 3]), dynamic([4, 5, 6])
]
| extend combined_series = series_add(x, y)In SQL, you add individual values using the + operator, but there's no built-in function for element-wise array addition. You would need to unnest arrays and perform complex joins. In APL, series_add handles this operation directly on dynamic arrays.
datatable(x: dynamic, y: dynamic)
[
dynamic([1, 2, 3]), dynamic([4, 5, 6])
]
| extend sum_series = series_add(x, y)Usage
Syntax
series_add(array1, array2)Parameters
| Parameter | Type | Description |
|---|---|---|
array1 |
dynamic | The first dynamic array of numeric values. |
array2 |
dynamic | The second dynamic array of numeric values. |
Returns
A dynamic array where each element is the sum of the corresponding elements from array1 and array2. If the arrays have different lengths, the result array has the length of the shorter array.
Use case examples
In log analysis, you can use series_add to combine request durations from different processing stages to calculate total processing time.
Query
['sample-http-logs']
| summarize stage1_durations = make_list(req_duration_ms), stage2_durations = make_list(req_duration_ms * 0.3) by id
| extend total_durations = series_add(stage1_durations, stage2_durations)Output
| id | stage1_durations | stage2_durations | total_durations |
|---|---|---|---|
| u123 | [100, 200, 150] | [30, 60, 45] | [130, 260, 195] |
| u456 | [80, 120] | [24, 36] | [104, 156] |
This query combines processing durations from two stages to calculate the total processing time for each user's requests.
In OpenTelemetry traces, you can use series_add to combine span durations from different services to analyze total request processing time.
Query
['otel-demo-traces']
| summarize frontend_durations = make_list(iff(['service.name'] == 'frontend', duration, 0ms)), backend_durations = make_list(iff(['service.name'] == 'cart', duration, 0ms)) by trace_id
| extend total_durations = series_add(frontend_durations, backend_durations)Output
| trace_id | frontend_durations | backend_durations | total_durations |
|---|---|---|---|
| t123 | [00:00:01, 00:00:00.5] | [00:00:00.2, 00:00:00.3] | [00:00:01.2, 00:00:00.8] |
| t456 | [00:00:00.8] | [00:00:00.4] | [00:00:01.2] |
This query adds frontend and backend service durations to calculate the combined processing time per trace.
In security logs, you can use series_add to combine request durations from different security checks to analyze total security processing overhead.
Query
['sample-http-logs']
| summarize auth_durations = make_list(req_duration_ms * 0.1), validation_durations = make_list(req_duration_ms * 0.05) by status
| extend total_security_durations = series_add(auth_durations, validation_durations)Output
| status | auth_durations | validation_durations | total_security_durations |
|---|---|---|---|
| 200 | [10, 20, 15] | [5, 10, 7.5] | [15, 30, 22.5] |
| 401 | [25, 30] | [12.5, 15] | [37.5, 45] |
This query combines authentication and validation processing times to calculate total security overhead by HTTP status code.
List of related functions
- series_abs: Returns the absolute value of each element in an array. Use when you need to remove negative signs without rounding.
- series_cosine_similarity: Calculates cosine similarity between two arrays. Use when you need normalized similarity measures rather than raw dot products.
- series_divide: Performs element-wise division between two arrays. Use when you need to calculate ratios or normalize values.
- series_dot_product: Calculates the dot product between two arrays. Use when you need the raw dot product value rather than normalized similarity.
- series_sum: Calculates the sum of all elements in a single array. Use when you need to sum elements within one array rather than computing dot products.