Forum Discussion

CodnChips's avatar
CodnChips
Brass Contributor
Feb 04, 2022
Solved

mv-expand - I cannot make it work!!

Can anyone spare anytime to give me a basic example of how to use mv-expand please, so that I can then expand on it! (See what I did there  )  I just don't get it.  I understand that it can be used ...
  • GaryBushey's avatar
    GaryBushey
    Feb 04, 2022

    CodnChips I tend to use it when trying to get the related alerts from an incident.   If you look at a row in the SecurityIncident table, you will see the AlertIds field is listed like: 

    ["695ef2b2-ceb1-d087-b3bb-846a8555xxxx","xxxxxxxx-ceb1-d087-b3bb-846a8555xxxx"]

    which means it is a JSON array and in this case has 2 entries.   In order to really use this field you would use mv-expand on the column as in 

     

    SecurityIncident
| mv-expand AlertIds

     

    This will create a new row for each entry in the AlertIds column.  All the other columns will be the same but the AlertIds column will only contain a single value per row.  This makes it much easier to perform a join against the SecurityAlert table to get the alert information.

CodnChips's avatar
CodnChips
Brass Contributor
Feb 04, 2022
Clive_Watson_Tech - Yes I see the difference and think I get what's happening. Hopefully I'll shortly arrive with a work example where I need to do this. Thanks again for all your help & patience today.
CodnChips's avatar
CodnChips
Brass Contributor
Feb 07, 2022
Clive_Watson
Final one, if you get chance:
If I enter this:
SecurityAlert
| where TimeGenerated == "2022-02-06T21:33:52.77Z"
| mv-expand Entities

I get this error:
Operator mvexpand: expanded expression expected to have dynamic type

Is this because the Entities Field is a "dynamic Array"? What is it expecting?
  • CodnChips's avatar
    CodnChips
    Brass Contributor
    Feb 07, 2022
    Clive_Watson
    Aaaah - see that makes sense. The help files\docs just don't present the information in a digestible format. Thankyou so much for your clear responses - I wouldn't have extracted that understanding from the docs (Which I appreciate is my own shortcoming) 🙂
  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Feb 07, 2022

    CodnChips 

     

    Its a string, and mv-expand needs a Dynamic array - getschema will confirm this for you:

     

    SecurityAlert
| getschema 
| where ColumnName =="Entities"

     

    mv-expand operator - Azure Data Explorer | Microsoft Docs
    Expands multi-value dynamic arrays or property bags into multiple records.

    So you need to switch the string to Dynamic for mv-expand to work

    SecurityAlert
| limit 1
| mv-expand todynamic(Entities)

     

    And at that point you decide if you need the results as Dynamic or if you need them as a string (and that depends on the commands, if any, you plan to run on the filtered data)

    SecurityAlert
| limit 1
| mv-expand todynamic(Entities) //to typeof(string)
| getschema 
| where ColumnName =="Entities"