The series_max function compares two numeric arrays element by element and returns a new array. Each position in the result contains the maximum value between the corresponding elements from the two input arrays.
You use series_max when you want to create an envelope or upper bound from multiple series, combine baseline metrics with actual values, or merge data from different sources by keeping the higher value at each point. For example, you can compare response times across different servers and keep the higher value at each time point, or combine SLA thresholds with actual measurements.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, element-wise maximum comparisons typically require custom logic with eval or foreach. In contrast, APL provides the specialized series_max function to directly compare arrays element by element and return the maximum values.
['sample-http-logs']
| make-series primary = avg(req_duration_ms), backup = avg(req_duration_ms) on _time step 1m
| extend max_values = series_max(primary, backup)In ANSI SQL, you use the GREATEST() function to compare scalar values. To compare sequences element-wise, you need window functions or complex joins. In APL, series_max simplifies this by applying the maximum operation across arrays in a single step.
['sample-http-logs']
| make-series series1 = avg(req_duration_ms), series2 = avg(req_duration_ms) on _time step 1m
| extend max_series = series_max(series1, series2)Usage
Syntax
series_max(array1, array2)Parameters
| Parameter | Type | Description |
|---|---|---|
array1 |
array | The first array of numeric values. |
array2 |
array | The second array of numeric values. Must have the same length as array1. |
Returns
An array of numeric values. Each element is the maximum of the corresponding elements from array1 and array2.
Use case examples
You want to create an upper bound by comparing request durations across two different cities and keeping the higher value at each time point.
Query
['sample-http-logs']
| take 50
| make-series london_avg = avgif(req_duration_ms, ['geo.city'] == 'London'),
paris_avg = avgif(req_duration_ms, ['geo.city'] == 'Paris')
on _time step 1h
| extend max_duration = series_max(london_avg, paris_avg)Output
| london_avg | paris_avg | max_duration |
|---|---|---|
| [120, 150, 100] | [180, 130, 190] | [180, 150, 190] |
This query compares response times between two cities and creates a series containing the higher value at each time point.
You want to track the maximum count between successful and failed requests at each time point to identify the dominant request type.
Query
['sample-http-logs']
| take 50
| make-series success_count = countif(status == '200'),
failure_count = countif(status != '200')
on _time step 1h
| extend max_count = series_max(success_count, failure_count)Output
| success_count | failure_count | max_count |
|---|---|---|
| [300, 280, 310] | [10, 290, 15] | [300, 290, 310] |
This query compares success and failure counts and returns the higher value at each time point, helping you understand the dominant traffic pattern.
List of related functions
- series_min: Compares two arrays and returns the minimum value at each position.
- series_less: Compares two arrays and returns
truewhere elements in the first array are less than the second. - series_greater: Compares two arrays and returns
truewhere the first array element is greater than the second. - max: Aggregation function that returns the maximum value across grouped records.