Forum Discussion

CodnChips's avatar
CodnChips
Brass Contributor
Feb 04, 2022
Solved

mv-expand - I cannot make it work!!

Can anyone spare anytime to give me a basic example of how to use mv-expand please, so that I can then expand on it! (See what I did there  )  I just don't get it.  I understand that it can be used ...
  • GaryBushey's avatar
    GaryBushey
    Feb 04, 2022

    CodnChips I tend to use it when trying to get the related alerts from an incident.   If you look at a row in the SecurityIncident table, you will see the AlertIds field is listed like: 

    ["695ef2b2-ceb1-d087-b3bb-846a8555xxxx","xxxxxxxx-ceb1-d087-b3bb-846a8555xxxx"]

    which means it is a JSON array and in this case has 2 entries.   In order to really use this field you would use mv-expand on the column as in 

     

    SecurityIncident
| mv-expand AlertIds

     

    This will create a new row for each entry in the AlertIds column.  All the other columns will be the same but the AlertIds column will only contain a single value per row.  This makes it much easier to perform a join against the SecurityAlert table to get the alert information.

SocInABox's avatar
SocInABox
Iron Contributor
Apr 28, 2023

CodnChips Clive_Watson GaryBushey 

In your experience with mv-expand have you had issues with the json being truncated so mv-expand doesn't work?

I made a logic app to pull in EDR alerts from carbon black and the alerts can be very long (over 1600 lines of json).

Are you aware of any limits and if there are any can that be fixed in my logic app?

 

Or is it possible my json just has a funky ending that needs to be truncated?

 

eg: here's my query:

CarbonBlack_CL
|mv-expand todynamic(results_s) to typeof(string)
|project results_s

 

And here's the tail end of the mvexpand on every results_s value. As you can see, that ",{" shouldn't be there:

<main body of json>

...
"ENUMERATE_PROCESSES"
]
},
{

 

Resources