mv-expand

Definition

Explore More Terms

Examples & Use Cases

```
| mv-expand Tags
```
If a column `Tags` contains: ["user", "admin", "superadmin"]

It will produce:

* security  
* login  
* admin

Each value now appears in its own row.

---

### Expanding Multiple Values

```
| mv-expand Tags, Categories
```
This expands multiple dynamic columns at the same time, aligning values by position when possible.

---

### Working with JSON Arrays
```
| mv-expand Events
```
If `Events` contains a JSON array of objects, each object becomes a separate row, allowing further filtering or parsing:
```
| mv-expand Events
| where Events.type == "error"
```

---

### Using with Index

You can track the position of elements using `with_itemindex`:
```
| mv-expand Tags with_itemindex = Index
```
This adds an `Index` column showing the position (Zero-based) of each item in the original array.

---

### Why it matters

Many datasets store information in arrays or nested structures. Without `mv-expand`, those values remain grouped together, making filtering and analysis difficult.

* It enables row-level analysis of nested data  
* It simplifies querying arrays and JSON structures  
* It helps uncover patterns hidden inside multi-value fields

However, expanding large arrays can significantly increase the number of rows, so it should be used carefully to avoid performance issues.

---

## Further Reading
- [Microsoft Learn - mv-expand operator](https://learn.microsoft.com/en-us/kusto/query/mv-expand-operator)