Forum Discussion
Solved
mv-expand - I cannot make it work!!
Can anyone spare anytime to give me a basic example of how to use mv-expand please, so that I can then expand on it! (See what I did there ) I just don't get it. I understand that it can be used ...
CodnChips I tend to use it when trying to get the related alerts from an incident. If you look at a row in the SecurityIncident table, you will see the AlertIds field is listed like:
["695ef2b2-ceb1-d087-b3bb-846a8555xxxx","xxxxxxxx-ceb1-d087-b3bb-846a8555xxxx"]which means it is a JSON array and in this case has 2 entries. In order to really use this field you would use mv-expand on the column as in
SecurityIncident | mv-expand AlertIdsThis will create a new row for each entry in the AlertIds column. All the other columns will be the same but the AlertIds column will only contain a single value per row. This makes it much easier to perform a join against the SecurityAlert table to get the alert information.
Glad to help 😉
You can also try https://github.com/rod-trent/MustLearnKQL for some more tips, and https://github.com/rod-trent/AddictedtoKQL when it releases.
#MustLearnKQL #KQL
You can also try https://github.com/rod-trent/MustLearnKQL for some more tips, and https://github.com/rod-trent/AddictedtoKQL when it releases.
#MustLearnKQL #KQL
Clive_Watson Perfect, thanks!