The series_sum function in APL calculates the total of all numeric elements in a dynamic array. You use it when you have a series of values and you want to condense them into a single aggregate number. For example, if you create arrays of request durations or span times, series_sum lets you quickly compute the total across each series.
This function is useful in scenarios such as:
- Aggregating request latencies across sessions or users.
- Summing the duration of spans in distributed traces.
- Calculating total counts or values across arrays in security log analysis.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you typically use the eval command with mvsum to sum values in a multivalue field. In APL, you use series_sum for the same purpose. Both functions collapse an array into a single scalar value.
['sample-http-logs']
| extend total_duration = series_sum(pack_array(req_duration_ms))In SQL, you normally use SUM() as an aggregate over rows. If you want to sum elements inside an array, you must use functions such as UNNEST first. In APL, series_sum directly operates on dynamic arrays, so you don’t need to flatten them.
['sample-http-logs']
| summarize total = series_sum(pack_array(req_duration_ms)) by idUsage
Syntax
series_sum(array)Parameters
| Parameter | Type | Description |
|---|---|---|
array |
dynamic (array) | The array of numeric values to sum. |
Returns
A real value representing the sum of all numeric elements in the array. If the array is empty, the function returns 0.
Use case examples
When you want to calculate the total request duration per user across multiple requests.
Query
['sample-http-logs']
| summarize durations = make_list(req_duration_ms) by id
| extend total_duration = series_sum(durations)Output
| id | durations | total_duration |
|---|---|---|
| u123 | [120, 300, 50] | 470 |
| u456 | [200, 150] | 350 |
This query collects request durations for each user, creates an array, and then sums the array to compute the total request time per user.
When you want to compute the total span duration per service within a trace.
Query
['otel-demo-traces']
| summarize durations = make_list(duration) by ['service.name'], trace_id
| extend total_span_duration = series_sum(durations)Output
| service.name | trace_id | durations | total_span_duration |
|---|---|---|---|
| frontend | t123 | [00:00:01.2000000, 00:00:02] | 00:00:03.2000000 |
| checkoutservice | t456 | [00:00:00.5000000] | 00:00:00.5000000 |
This query groups spans by service and trace, collects the span durations, and computes the total execution time of spans.
When you want to evaluate the total request duration for each HTTP status code.
Query
['sample-http-logs']
| summarize durations = make_list(req_duration_ms) by status
| extend total_duration = series_sum(durations)Output
| status | durations | total_duration |
|---|---|---|
| 200 | [100, 300, 50] | 450 |
| 500 | [250, 400] | 650 |
This query aggregates request durations for each HTTP status code, then sums them to provide insight into the total duration of successful vs. failed requests.
List of related functions
- series_abs: Returns the absolute value of each element in an array. Use it to normalize negative values in arrays.
- series_acos: Computes the arccosine of each element in an array. Use when you want the inverse cosine.
- series_atan: Computes the arctangent of each element in an array. Use when you want the inverse tangent.
- series_cos: Returns the cosine of each element in an array. Use it when analyzing cyclical data with a phase shift.
- series_tan: Returns the tangent of each element in an array. Use it when you want to transform arrays with tangent-based periodicity.