The series_less_equals function compares two numeric arrays element by element and returns a new array of Boolean values. Each element in the result is true if the corresponding element in the first array is less than or equal to the corresponding element in the second array, and false otherwise.
You can use this function to analyze numeric sequences over time, such as detecting when one series of measurements stays below or matches another. This is useful in monitoring scenarios, anomaly detection, and when working with time-series data in logs, traces, or security events.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, comparisons across arrays aren’t directly supported in the same way. SPL typically works with single values or requires custom evaluation functions to iterate over arrays. In APL, series_less_equals provides a built-in way to compare arrays element by element.
print arr1=dynamic([1,2,3]), arr2=dynamic([2,2,2])
| extend result=series_less_equals(arr1, arr2)In ANSI SQL, comparisons are scalar by default. You cannot compare arrays directly without unnesting or joining them. In APL, series_less_equals lets you perform an element-wise comparison of two arrays with a single function call.
print arr1=dynamic([1,2,3]), arr2=dynamic([2,2,2])
| extend result=series_less_equals(arr1, arr2)Usage
Syntax
series_less_equals(arr1, arr2)Parameters
| Parameter | Type | Description |
|---|---|---|
arr1 |
dynamic (array) | The first numeric array. |
arr2 |
dynamic (array) | The second numeric array. Must have the same length as arr1. |
Returns
A dynamic array of Boolean values. Each element is true if the element of arr1 is less than or equal to the corresponding element of arr2, otherwise false.
Use case examples
You want to check whether request durations for a user stay within an acceptable threshold over time.
Query
['sample-http-logs']
| summarize durations=make_list(req_duration_ms), times=make_list(_time) by id
| extend threshold=dynamic([200, 200, 200])
| extend below_or_equal=series_less_equals(durations, threshold)Output
| id | durations | threshold | below_or_equal |
|---|---|---|---|
| u1 | [120, 180, 250] | [200, 200, 200] | [true, true, false] |
This query checks for each user whether the request duration at each point is less than or equal to the threshold of 200 ms.
You want to validate whether service durations stay within a performance baseline.
Query
['otel-demo-traces']
| where ['service.name'] == 'frontend'
| summarize durations=make_list(duration), times=make_list(_time) by trace_id
| extend baseline=dynamic([1000000000, 1000000000, 1000000000])
| extend below_or_equal=series_less_equals(durations, baseline)Output
| trace_id | durations | baseline | below_or_equal |
|---|---|---|---|
| t1 | [00:00:00.5, 00:00:01.2] | [00:00:01, 00:00:01] | [true, false] |
This query shows whether spans in the frontend service meet a performance baseline of 1 second.
You want to check whether requests from a given country stay within acceptable request duration limits.
Query
['sample-http-logs']
| where ['geo.country'] == 'United States'
| summarize durations=make_list(req_duration_ms), times=make_list(_time) by id
| extend limits=dynamic([300, 300, 300])
| extend below_or_equal=series_less_equals(durations, limits)Output
| id | durations | limit | below_or_equal |
|---|---|---|---|
| u2 | [220, 280, 350] | [300, 300, 300] | [true, true, false] |
This query checks whether requests originating in the United States remain within a 300 ms duration limit.
List of related functions
- series_greater_equals: Compares two arrays and returns
truewhen elements in the first array are greater than or equal to the second array. - series_greater: Compares two arrays and returns
truewhere the first array element is greater than the second. - series_less: Compares two arrays and returns
truewhere the first array element is less than the second. - series_not_equals: Compares two arrays and returns
truewhere elements aren’t equal.