Skip to main content
The series_abs function transforms all values in a numeric dynamic array (series) into their absolute values. This means that it converts negative values to their positive equivalents while leaving non-negative values unchanged. You can use series_abs when you want to normalize data and remove the effect of directionality. For example, it’s useful in time-series scenarios where you want to analyze the magnitude of changes regardless of whether they’re positive or negative. Typical applications include error analysis, performance monitoring, and anomaly detection.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, absolute values are usually calculated with the eval function and the abs() expression. In APL, you apply series_abs to an array column to calculate absolute values for all elements in one step.
... | eval abs_duration=abs(duration)
In SQL, you calculate absolute values with the ABS() scalar function, but this only applies to single values, not arrays. In APL, series_abs applies the operation to every element in a dynamic array, which makes it convenient for series analysis.
SELECT ABS(duration) AS abs_duration
FROM requests;

Usage

Syntax

series_abs(array)

Parameters

ParameterTypeDescription
arraydynamicA dynamic array of numeric values.

Returns

A dynamic array where each element is the absolute value of the corresponding input element.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
In log analysis, you can use series_abs to analyze request durations by focusing on their magnitude, regardless of whether values are represented as positive or negative deviations.Query
['sample-http-logs']
| summarize durations = make_list(req_duration_ms) by id
| extend abs_durations = series_abs(durations)
Run in PlaygroundOutput
iddurationsabs_durations
u123[-50, 30, -10, 20][50, 30, 10, 20]
u456[5, -7, -3, 9][5, 7, 3, 9]
This query collects request durations for each user, then converts them into absolute values for magnitude-based analysis.
  • series_acos: Returns the arc cosine of each element in an array. Use when you need to invert cosine transformations instead of sine.
  • series_asin: Applies the arc sine function element-wise to array values. Use this when you need the inverse sine instead of the inverse cosine.
  • series_atan: Returns the arc tangent of each element in an array. Useful for handling tangent-derived data.
I