Dashboard
Account 🔐
Sign Up
Login
Global Leaderboard
Game Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
Kusto
›
mv-expand
Mv-Expand
Kusto
Definition
The `mv-expand` operator in Kusto Query Language (KQL) expands multi-value dynamic arrays or property bags into multiple rows. Each element in the array or each key-value pair is output as a separate row while duplicating the other column values. This makes it useful for flattening nested data so individual elements can be filtered, analyzed, or aggregated independently.
Explore More Terms
Summarize
Timeline
Nmap
Checkpoint
Ransomware
Examples & Use Cases
``` | mv-expand Tags ``` If a column `Tags` contains: ["user", "admin", "superadmin"] It will produce: * security * login * admin Each value now appears in its own row. --- ### Expanding Multiple Values ``` | mv-expand Tags, Categories ``` This expands multiple dynamic columns at the same time, aligning values by position when possible. --- ### Working with JSON Arrays ``` | mv-expand Events ``` If `Events` contains a JSON array of objects, each object becomes a separate row, allowing further filtering or parsing: ``` | mv-expand Events | where Events.type == "error" ``` --- ### Using with Index You can track the position of elements using `with_itemindex`: ``` | mv-expand Tags with_itemindex = Index ``` This adds an `Index` column showing the position (Zero-based) of each item in the original array. --- ### Why it matters Many datasets store information in arrays or nested structures. Without `mv-expand`, those values remain grouped together, making filtering and analysis difficult. * It enables row-level analysis of nested data * It simplifies querying arrays and JSON structures * It helps uncover patterns hidden inside multi-value fields However, expanding large arrays can significantly increase the number of rows, so it should be used carefully to avoid performance issues. --- ## Further Reading - [Microsoft Learn - mv-expand operator](https://learn.microsoft.com/en-us/kusto/query/mv-expand-operator)
.png)
