The series_min function compares two numeric arrays element by element and returns a new array. Each position in the result contains the minimum value between the corresponding elements from the two input arrays.
You use series_min when you want to create a lower bound from multiple series, combine baseline metrics with actual values while keeping the smaller value, or merge data from different sources by selecting the lower value at each point. For example, you can compare response times across different servers and keep the lower value at each time point, or create minimum thresholds from multiple sources.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, element-wise minimum comparisons typically require custom logic with eval or foreach. In contrast, APL provides the specialized series_min function to directly compare arrays element by element and return the minimum values.
['sample-http-logs']
| make-series primary = avg(req_duration_ms), backup = avg(req_duration_ms) on _time step 1m
| extend min_values = series_min(primary, backup)In ANSI SQL, you use the LEAST() function to compare scalar values. To compare sequences element-wise, you need window functions or complex joins. In APL, series_min simplifies this by applying the minimum operation across arrays in a single step.
['sample-http-logs']
| make-series series1 = avg(req_duration_ms), series2 = avg(req_duration_ms) on _time step 1m
| extend min_series = series_min(series1, series2)Usage
Syntax
series_min(array1, array2)Parameters
| Parameter | Type | Description |
|---|---|---|
array1 |
array | The first array of numeric values. |
array2 |
array | The second array of numeric values. Must have the same length as array1. |
Returns
An array of numeric values. Each element is the minimum of the corresponding elements from array1 and array2.
Use case examples
You want to create a lower bound by comparing request durations across two different cities and keeping the lower value at each time point.
Query
['sample-http-logs']
| take 50
| make-series london_avg = avgif(req_duration_ms, ['geo.city'] == 'London'),
paris_avg = avgif(req_duration_ms, ['geo.city'] == 'Paris')
on _time step 1h
| extend min_duration = series_min(london_avg, paris_avg)Output
| london_avg | paris_avg | min_duration |
|---|---|---|
| [120, 150, 100] | [180, 130, 190] | [120, 130, 100] |
This query compares response times between two cities and creates a series containing the lower value at each time point.
You want to track the minimum count between successful and failed requests at each time point to identify which type has less traffic.
Query
['sample-http-logs']
| take 50
| make-series success_count = countif(status == '200'),
failure_count = countif(status != '200')
on _time step 1h
| extend min_count = series_min(success_count, failure_count)Output
| success_count | failure_count | min_count |
|---|---|---|
| [300, 280, 310] | [10, 290, 15] | [10, 280, 15] |
This query compares success and failure counts and returns the lower value at each time point, helping you identify the minority traffic pattern.
List of related functions
- series_max: Compares two arrays and returns the maximum value at each position.
- series_less: Compares two arrays and returns
truewhere elements in the first array are less than the second. - series_greater: Compares two arrays and returns
truewhere the first array element is greater than the second. - min: Aggregation function that returns the minimum value across grouped records.