The series_sign function returns the sign of each element in a numeric dynamic array (series). The function returns -1 for negative numbers, 0 for zero, and 1 for positive numbers.
You can use series_sign when you need to identify the direction or polarity of values in time-series data. This is particularly useful for detecting changes in trends, classifying values by their sign, or preparing data for further analysis where only the direction matters, not the magnitude.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you typically implement sign detection using conditional statements with eval. In APL, series_sign provides a built-in function that operates on entire arrays efficiently.
datatable(x: dynamic)
[
dynamic([-5, -2, 0, 3, 7])
]
| extend signs = series_sign(x)In SQL, you use the SIGN() function to determine the sign of individual values. In APL, series_sign applies this operation element-wise across entire arrays.
datatable(x: dynamic)
[
dynamic([-5, -2, 0, 3, 7])
]
| extend signs = series_sign(x)Usage
Syntax
series_sign(array)Parameters
| Parameter | Type | Description |
|---|---|---|
array |
dynamic | A dynamic array of numeric values. |
Returns
A dynamic array where each element is:
-1if the corresponding input element is negative0if the corresponding input element is zero1if the corresponding input element is positive
Use case examples
In log analysis, you can use series_sign to detect whether request durations are above or below a baseline by first subtracting the baseline, then examining the sign.
Query
['sample-http-logs']
| summarize durations = make_list(req_duration_ms) by id
| extend baseline = 100
| extend deviations = series_subtract(durations, dynamic([100, 100, 100, 100, 100]))
| extend trend = series_sign(deviations)
| take 5Output
| id | durations | deviations | trend |
|---|---|---|---|
| u123 | [120, 95, 105, 80, 110] | [20, -5, 5, -20, 10] | [1, -1, 1, -1, 1] |
| u456 | [85, 100, 90, 105, 95] | [-15, 0, -10, 5, -5] | [-1, 0, -1, 1, -1] |
This query calculates deviations from a baseline and uses series_sign to classify whether each request was slower (1), faster (-1), or equal (0) to the baseline.
In OpenTelemetry traces, you can use series_sign to identify performance improvements or degradations by comparing current spans against previous measurements.
Query
['otel-demo-traces']
| extend duration_ms = duration / 1ms
| summarize current = make_list(duration_ms) by ['service.name']
| extend previous = dynamic([100, 120, 95, 110, 105])
| extend change = series_subtract(current, previous)
| extend direction = series_sign(change)
| take 5Output
| service.name | current | change | direction |
|---|---|---|---|
| frontend | [95, 115, 100, 105, 110] | [-5, -5, 5, -5, 5] | [-1, -1, 1, -1, 1] |
| checkout | [105, 125, 90, 115, 100] | [5, 5, -5, 5, -5] | [1, 1, -1, 1, -1] |
This query compares current and previous span durations, using series_sign to classify each change as improvement (-1), degradation (1), or no change (0).
In security logs, you can use series_sign to classify request patterns as above or below normal thresholds, helping identify potential security anomalies.
Query
['sample-http-logs']
| summarize counts = make_list(req_duration_ms) by status
| extend threshold = dynamic([50, 50, 50, 50, 50])
| extend difference = series_subtract(counts, threshold)
| extend alert_flag = series_sign(difference)
| take 5Output
| status | counts | difference | alert_flag |
|---|---|---|---|
| 200 | [45, 52, 48, 55, 50] | [-5, 2, -2, 5, 0] | [-1, 1, -1, 1, 0] |
| 401 | [60, 75, 55, 80, 70] | [10, 25, 5, 30, 20] | [1, 1, 1, 1, 1] |
This query compares request metrics against thresholds and uses series_sign to create alert flags, where 1 indicates above-threshold activity that might warrant investigation.
List of related functions
- series_abs: Returns the absolute value of each element. Use when you need magnitude without direction information.
- series_subtract: Performs element-wise subtraction. Often used before
series_signto compute deviations from baselines. - series_greater: Returns boolean comparison results. Use when you need explicit comparison against a threshold.
- series_less: Returns boolean comparison results. Use for direct comparison instead of sign-based classification.