The make-series operator creates time series data by aggregating values over specified time bins. You use it to turn event-based data into evenly spaced intervals, which is useful for visualizing trends, comparing metrics over time, or performing anomaly detection. You find this operator useful when you want to:
  • Analyze trends in metrics such as request duration, error rates, or throughput.
  • Prepare data for charting in dashboards where regular time intervals are required.
  • Aggregate trace or log data into time buckets for performance monitoring or incident analysis.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Usage

Syntax

make-series [Aggregation [, ...]]
    [default = DefaultValue]
    on TimeField
    [in Range]
    step StepSize
    [by GroupingField [, ...]]

Parameters

ParameterDescription
AggregationOne or more aggregation functions (for example, avg(), count(), sum()) to apply over each time bin.
defaultA value to use when no records exist in a time bin.
TimeFieldThe field containing timestamps used for binning.
RangeAn optional range expression specifying the start and end of the series (for example, from ago(1h) to now()).
StepSizeThe size of each time bin (for example, 1m, 5m, 1h).
GroupingFieldOptional fields to split the series by, producing multiple series in parallel.

Returns

The operator returns a table where each row represents a group (if specified), and each aggregation function produces an array of values aligned with the generated time bins.

Use case examples

You want to analyze how average request duration evolves over time, binned into 5-minute intervals.Query
['sample-http-logs']
| make-series avg(req_duration_ms) default=0 on _time from ago(1h) to now() step 5m
Run in PlaygroundOutput
avg_req_duration_ms
[123, 98, 110, 105, 130…]
The query produces a time series of average request durations across the last hour, grouped into 5-minute intervals.
  • extend: Creates new calculated fields, often as preparation before make-series. Use extend when you want to preprocess data for time series analysis.
  • mv-expand: Expands arrays into multiple rows. Use mv-expand to work with the arrays returned by make-series.
  • summarize: Aggregates rows into groups but does not generate continuous time bins. Use summarize when you want flexible grouping without forcing evenly spaced intervals.
  • top: Returns the top rows by a specified expression, not time series. Use top when you want to focus on the most significant values instead of trends over time.