Time-series SPL - Simple Log Service - Alibaba Cloud Documentation Center

Logstore contains a wealth of time-series data. Simple Log Service facilitates the processing of this data through time-series SPL instructions and functions.

What is series

A Series is a two-dimensional data structure with time and metric dimensions, ideal for representing collections of time-varying observations. It corresponds to table data.

Comparison with table model

Comparison dimension	Table model	Series model

Comparison dimension	Table model	Series model
Data organization	Discrete time point records (row storage)	Continuous time series (column storage)
Query mode	Aggregation calculation based on discrete points	Supports time series operations such as sliding window
Storage efficiency	Suitable for low-frequency discrete events	Optimized for high-frequency continuous metric storage

Example

For instance, in analyzing Nginx access logs, calculate the average response time per minute by URI dimension.

Table model

* 
| extend ts =  to_unixtime(date_trunc('hour',date_parse(time_local, '%d/%b/%Y:%H:%i:%s')))
| stats avg_latency = avg(cast(upstream_response_time as double)) by ts,request_uri

Example of discrete time point aggregation result:

Series model implementation

* 
| stats avg_latency=avg(cast(upstream_response_time as double)) by time_local, request_uri
| make-series avg_latency default = 'last'
    on time_local 
    from 'sls_begin_time' to 'sls_end_time' 
    step '1m' 
    by request_uri

Example of continuous time series visualization:

Spl instructions

SPL instructions are utilized to transform Table data into Series data.

Instruction name	Description

Instruction name	Description
stats	Used to calculate statistics information of a dataset, supports aggregation by grouping fields.
make-series	Builds Table data into Series data.
render	Renders SPL query results as charts for visualization.

Spl functions

Once data is processed into a series using make-series, SPL functions can be called for visualization purposes.

Function name	Description

Function name	Description
second_to_nano function	Time conversion function: converts second-level timestamps to nanosecond-level, suitable for high-precision scenarios.
series_forecast function	Time series prediction function: predicts future trends based on historical data, suitable for monitoring, analysis, and planning.
series_pattern_anomalies function	Anomaly detection function: based on machine learning algorithms, identifies anomalous points or patterns in time series, suitable for monitoring, alerting, and data analysis scenarios.
series_decompose_anomalies function	Time series decomposition and anomaly detection function: based on time series decomposition algorithms, splits raw data into trend, seasonal, and residual components, and analyzes the residual component through statistical methods to identify anomalous points, suitable for real-time monitoring, root cause analysis, and data quality detection scenarios.