Forum Discussion

abon13's avatar
abon13
Copper Contributor
Oct 12, 2022
Solved

mv-expand error on Security Alert

Hi,   I have below query which I am using to perform a URL search in Security Alert table. This query works fine as long as the search value is there in the given timeframe (the below query search ...
alerts
KQL
kusto
  • Clive_Watson's avatar
    Clive_Watson
    Oct 12, 2022
    trying adding a column_ifexists

    ...
    | extend Url = column_ifexists("Url","")
    | mv-expand todynamic(Url)
    | where isnotempty(Url)
    | project TimeGenerated, SystemAlertId, AlertName, Url
Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Oct 12, 2022
trying adding a column_ifexists

...
| extend Url = column_ifexists("Url","")
| mv-expand todynamic(Url)
| where isnotempty(Url)
| project TimeGenerated, SystemAlertId, AlertName, Url
  • abon13's avatar
    abon13
    Copper Contributor
    Oct 13, 2022
    thanks. this works

    Curious to understand why KQL proceeds to the next query line when the where clause (line 3) comes up with blank results ?
    • Clive_Watson's avatar
      Clive_Watson
      Bronze Contributor
      Oct 13, 2022
      if its empty/blank, then the query stops at the mv-expand line

Resources