mv-expand - I cannot make it work!!

Can anyone spare anytime to give me a basic example of how to use mv-expand please, so that I can then expand on it! (See what I did there ) I just don't get it. I understand that it can be used ...

GaryBushey
Feb 04, 2022
CodnChips I tend to use it when trying to get the related alerts from an incident. If you look at a row in the SecurityIncident table, you will see the AlertIds field is listed like:
["695ef2b2-ceb1-d087-b3bb-846a8555xxxx","xxxxxxxx-ceb1-d087-b3bb-846a8555xxxx"]
which means it is a JSON array and in this case has 2 entries. In order to really use this field you would use mv-expand on the column as in

SecurityIncident | mv-expand AlertIds

This will create a new row for each entry in the AlertIds column. All the other columns will be the same but the AlertIds column will only contain a single value per row. This makes it much easier to perform a join against the SecurityAlert table to get the alert information.

Clive_Watson

Bronze Contributor

Feb 04, 2022

CodnChips

You can get some code examples from the Sentinel Github, via the search box, then filter on YAML files (to reduce some noise, the json files can also be useful...but start simple!).

You should end up with something like:

https://github.com/Azure/Azure-Sentinel/search?l=YAML&q=mv-expand

Another example of its use is where you have [0] and [1] type entries (often these are 10 or more).

You can use mv-expand to produce the data without the [numbers]

You can play with this example in the Logs Demo:

Go to Log Analytics and run query

CodnChips

Brass Contributor

Feb 04, 2022

Hey Clive_Watson thanks very much for your response. This is so helpful. I will have a look on the Github link and see what I can find as next step as Gary eluded to is connecting with a Join.
Many thanks

Forum Discussion

mv-expand - I cannot make it work!!

Resources