The series_less_equals function compares two numeric arrays element by element and returns a new array of Boolean values. Each element in the result is true if the corresponding element in the first array is less than or equal to the corresponding element in the second array, and false otherwise. You can use this function to analyze numeric sequences over time, such as detecting when one series of measurements stays below or matches another. This is useful in monitoring scenarios, anomaly detection, and when working with time-series data in logs, traces, or security events.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, comparisons across arrays aren’t directly supported in the same way. SPL typically works with single values or requires custom evaluation functions to iterate over arrays. In APL, series_less_equals provides a built-in way to compare arrays element by element.
| eval result=if(value1 <= value2, true(), false())
In ANSI SQL, comparisons are scalar by default. You cannot compare arrays directly without unnesting or joining them. In APL, series_less_equals lets you perform an element-wise comparison of two arrays with a single function call.
SELECT CASE WHEN a.value <= b.value THEN true ELSE false END
FROM array_table_a a
JOIN array_table_b b ON a.idx = b.idx;

Usage

Syntax

series_less_equals(arr1, arr2)

Parameters

ParameterTypeDescription
arr1dynamic (array)The first numeric array.
arr2dynamic (array)The second numeric array. Must have the same length as arr1.

Returns

A dynamic array of Boolean values. Each element is true if the element of arr1 is less than or equal to the corresponding element of arr2, otherwise false.

Use case examples

You want to check whether request durations for a user stay within an acceptable threshold over time.Query
['sample-http-logs']
| summarize durations=make_list(req_duration_ms), times=make_list(_time) by id
| extend threshold=dynamic([200, 200, 200])
| extend below_or_equal=series_less_equals(durations, threshold)
Run in PlaygroundOutput
iddurationsthresholdbelow_or_equal
u1[120, 180, 250][200, 200, 200][true, true, false]
This query checks for each user whether the request duration at each point is less than or equal to the threshold of 200 ms.
  • series_greater_equals: Compares two arrays and returns true when elements in the first array are greater than or equal to the second array.
  • series_greater: Compares two arrays and returns true where the first array element is greater than the second.
  • series_less: Compares two arrays and returns true where the first array element is less than the second.
  • series_not_equals: Compares two arrays and returns true where elements aren’t equal.