Skip to content

Add make-series, mv-expand, parse-kv, parse-where, project-rename #389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Add make-series, mv-expand, parse-kv, parse-where, project-rename #389

wants to merge 7 commits into from
+664 −2

Conversation

manototh
Copy link
Collaborator

@manototh manototh commented Sep 3, 2025
edited
Loading

@manototh manototh self-assigned this Sep 3, 2025
@manototh manototh requested a review from gordallott September 3, 2025 09:22
gordallott
gordallott reviewed Sep 8, 2025
View reviewed changes
Copy link
Contributor

@gordallott gordallott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need to go through that make-series one a bit, left links but dm's are open if it's confusing

apl/tabular-operators/make-series.mdx
Comment on lines +6 to +12
The `make-series` operator creates time series data by aggregating values over specified time bins. You use it to turn event-based data into evenly spaced intervals, which is useful for visualizing trends, comparing metrics over time, or performing anomaly detection.

You find this operator useful when you want to:

- Analyze trends in metrics such as request duration, error rates, or throughput.
- Prepare data for charting in dashboards where regular time intervals are required.
- Aggregate trace or log data into time buckets for performance monitoring or incident analysis.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hum no, this is describing a summarize operator. They seem similiar for sure! but different.

  • summarize takes in event data and lets you use aggregations to produce time series data encoded in rows
  • make-series takes in event data and lets you use aggregations to produce time-series data encoded in field arrays

you can use this query to play about with the difference between the two: https://play.axiom.co/axiom-play-qf1k/query?qid=UiH3wAA3IfX-t29ng0&relative=1
the summarize will produce individual rows for every time bucket, the make-series will encode the whole thing into a single array on the avg_metric and timestamp field

the idea with make-series is that you can turn your events into array-based time series data, manipulate that array in some way (using the series_ functions usually), then use mv-exapand to turn it back into row-based time series data.

so it's not about visualizing trends or comparing metrics, but rather it provides a way to maniuplate aggregated, time-series data.

it's difficult to wrap your head around i know, it's much easier if you just play with it.

Here's another example of using make-series to build array based time-series data, then calling a series function on that array to make it a smoothed rolling average value, then using mv-expand to turn it back into row-based time series data for graphing

https://play.axiom.co/axiom-play-qf1k/query?qid=DJ19Fz8dxAH-t29ou0&relative=1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gordallott gordallott gordallott left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@manototh manototh

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@manototh @gordallott