axiomhq · manototh · Oct 2, 2025 · Sep 2, 2025 · Sep 2, 2025 · Sep 2, 2025
diff --git a/apl/apl-features.mdx b/apl/apl-features.mdx
@@ -280,10 +280,15 @@ keywords: ['axiom documentation', 'documentation', 'axiom', 'APL', 'axiom proces
 | Tabular operator       | [join](/apl/tabular-operators/join-operator)                                                | Returns a dataset containing rows from two different tables based on conditions. |
 | Tabular operator       | [limit](/apl/tabular-operators/limit-operator)                                              | Returns the top N rows from the input dataset. |
 | Tabular operator       | [lookup](/apl/tabular-operators/lookup-operator)                                            | Returns a dataset where rows from one dataset are enriched with matching columns from a lookup table based on conditions. |
+| Tabular operator       | [make-series](/apl/tabular-operators/make-series)                                            | Returns a dataset where the specified field is aggregated into a time series. |
+| Tabular operator       | [mv-expand](/apl/tabular-operators/mv-expand)                                              | Returns a dataset where the specified field is expanded into multiple rows. |
 | Tabular operator       | [order](/apl/tabular-operators/order-operator)                                              | Returns the input dataset, sorted according to the specified fields and order. |
 | Tabular operator       | [parse](/apl/tabular-operators/parse-operator)                                              | Returns the input dataset with new fields added based on the specified parsing pattern. |
+| Tabular operator       | [parse-kv](/apl/tabular-operators/parse-kv)                                              | Returns a dataset where key-value pairs are extracted from a string field into individual columns. |
+| Tabular operator       | [parse-where](/apl/tabular-operators/parse-where)                                              | Returns a dataset where values from a string are extracted based on a pattern. |
 | Tabular operator       | [project-away](/apl/tabular-operators/project-away-operator)                                | Returns the input dataset excluding the specified fields. |
 | Tabular operator       | [project-keep](/apl/tabular-operators/project-keep-operator)                                | Returns a dataset with only the specified fields. |
+| Tabular operator       | [project-rename](/apl/tabular-operators/project-rename)                                | Returns a dataset where the specified field is renamed according to the specified pattern. |
 | Tabular operator       | [project-reorder](/apl/tabular-operators/project-reorder-operator)                          | Returns a table with the specified fields reordered as requested followed by any unspecified fields in their original order. |
 | Tabular operator       | [project](/apl/tabular-operators/project-operator)                                          | Returns a dataset containing only the specified fields. |
 | Tabular operator       | [redact](/apl/tabular-operators/redact-operator)                                            | Returns the input dataset with sensitive data replaced or hashed. |

diff --git a/apl/scalar-functions/conversion-functions/toarray.mdx b/apl/scalar-functions/conversion-functions/toarray.mdx
@@ -3,7 +3,7 @@ title: toarray
 description: 'This page explains how to use the toarray function in APL.'
 ---
 
-Use the `toarray` function in APL to convert a dynamic-typed input—such as a bag, property bag, or JSON array—into a regular array. This is helpful when you want to process the elements individually with array functions like `array_length`, `array_index_of`, or `mv-expand`.
+Use the `toarray` function in APL to convert a dynamic-typed input—such as a bag, property bag, or JSON array—into a regular array. This is helpful when you want to process the elements individually with array functions like `array_length` or `array_index_of`.
 
 You typically use `toarray` when working with semi-structured data, especially after parsing JSON from log fields or external sources. It lets you access and manipulate nested collections using standard array operations.
 

diff --git a/apl/tabular-operators/make-series.mdx b/apl/tabular-operators/make-series.mdx
@@ -0,0 +1,178 @@
+---
+title: make-series
+description: 'This page explains how to use the make-series operator in APL.'
+---
+
+## Introduction
+
+The `make-series` operator transforms event data into array-based time series. Instead of producing one row per time bucket, `make-series` encodes the values and corresponding timestamps into arrays stored in table fields. This makes it possible to apply `series_*` functions for advanced manipulations such as moving averages, smoothing, anomaly detection, or other time-series computations.
+
+You find this operator useful when you want to:
+
+- Turn event data into array-encoded time series for further analysis.
+- Apply `series_*` functions (for example, `series_fir`, `series_stats`) to aggregated data.
+- Postprocess and then expand arrays back into rows with `mv-expand` for visualization or downstream queries.
+
+Unlike `summarize`, which produces row-based aggregations, `make-series` is designed specifically for creating and manipulating array-based time series.
+
+## For users of other query languages
+
+If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
+
+<AccordionGroup>
+<Accordion title="Splunk SPL users">
+
+In Splunk SPL, the `timechart` command creates row-based time series, with one row per time bucket. In APL, the `make-series` operator instead encodes the series into arrays, which you can later manipulate or expand. This is a key difference from SPL’s row-based approach.
+
+<CodeGroup>
+```sql Splunk example
+index=sample-http-logs
+| timechart span=1m avg(req_duration_ms)
+````
+
+```kusto APL equivalent
+['sample-http-logs']
+| make-series avg(req_duration_ms) default=0 on _time from ago(1h) to now() step 1m
+```
+
+</CodeGroup>
+
+</Accordion>
+<Accordion title="ANSI SQL users">
+
+In ANSI SQL, you typically use `GROUP BY` with a generated series or calendar table to create row-based time buckets. In APL, `make-series` creates arrays of values and timestamps in a single row. This lets you perform array-based computations on the time series before optionally expanding back into rows.
+
+<CodeGroup>
+```sql SQL example
+SELECT
+  time_bucket('1 minute', _time) AS minute,
+  AVG(req_duration_ms) AS avg_duration
+FROM sample_http_logs
+WHERE _time > NOW() - interval '1 hour'
+GROUP BY minute
+ORDER BY minute
+```
+
+```kusto APL equivalent
+['sample-http-logs']
+| make-series avg(req_duration_ms) default=0 on _time from ago(1h) to now() step 1m
+```
+
+</CodeGroup>
+
+</Accordion>
+</AccordionGroup>
+
+## Usage
+
+### Syntax
+
+```kusto
+make-series [Aggregation [, ...]]
+    [default = DefaultValue]
+    on TimeField
+    [in Range]
+    step StepSize
+    [by GroupingField [, ...]]
+```
+
+### Parameters
+
+| Parameter        | Description                                                                                                     |
+| ---------------- | --------------------------------------------------------------------------------------------------------------- |
+| `Aggregation`    | One or more aggregation functions (for example, `avg()`, `count()`, `sum()`) applied to each time bin, producing arrays of values.       |
+| `default`        | A value to use when no records exist in a time bin.                                                             |
+| `TimeField`     | The field containing timestamps used for binning.                                                              |
+| `Range`          | An optional range expression specifying the start and end of the series (for example, `from ago(1h) to now()`). |
+| `StepSize`       | The size of each time bin (for example, `1m`, `5m`, `1h`).                                                      |
+| `GroupingField` | Optional fields to split the series by, producing parallel arrays for each group.                                 |
+
+### Returns
+
+The operator returns a table where each aggregation produces an array of values aligned with an array of time bins. Each row represents a group (if specified), with arrays that encode the entire time series.
+
+## Use case examples
+
+<Tabs>
+<Tab title="Log analysis">
+
+You want to create an array-based time series of request counts, then compute a rolling average using a `series_*` function, and finally expand back into rows for visualization.
+
+**Query**
+
+```kusto
+['sample-http-logs']
+| make-series count() on _time from now()-24h to now() step 5m
+| extend moving_avg_count=series_fir(count_, dynamic([1, 1, 1, 1, 1]))
+| mv-expand moving_avg_count to typeof(long), count_ to typeof(long), time to typeof(datetime)
+| project-rename _time=time
+| summarize avg(moving_avg_count), avg(count_) by bin(_time, 5m)
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B'sample-http-logs'%5D%20%7C%20make-series%20count()%20on%20_time%20from%20now()-24h%20to%20now()%20step%205m%20%7C%20extend%20moving_avg_count%3Dseries_fir(count_%2C%20dynamic(%5B1%2C%201%2C%201%2C%201%2C%201%5D))%20%7C%20mv-expand%20moving_avg_count%20to%20typeof(long)%2C%20count_%20to%20typeof(long)%2C%20time%20to%20typeof(datetime)%20%7C%20project-rename%20_time%3Dtime%20%7C%20summarize%20avg(moving_avg_count)%2C%20avg(count_)%20by%20bin(_time%2C%205m)%22%2C%22queryOptions%22%3A%7B%22quickRange%22%3A%221d%22%7D%7D)
+
+**Output**
+
+| _time               | count_ | moving_avg_count |
+| ------------------- | ------ | ---------------- |
+| 2025-09-29T10:00:00 | 120    | 118              |
+| 2025-09-29T10:05:00 | 130    | 122              |
+| 2025-09-29T10:10:00 | 110    | 121              |
+
+The query turns request counts into arrays, applies a smoothing function, and then expands the arrays back into rows for analysis.
+
+</Tab>
+<Tab title="OpenTelemetry traces">
+
+You want to analyze span durations per service, storing them as arrays for later manipulation.
+
+**Query**
+
+```kusto
+['otel-demo-traces']
+| make-series avg(duration) on _time from ago(2h) to now() step 10m by ['service.name']
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B'otel-demo-traces'%5D%20%7C%20make-series%20avg(duration)%20on%20_time%20from%20ago(2h)%20to%20now()%20step%2010m%20by%20%5B'service.name'%5D%22%7D)
+
+**Output**
+
+| service.name    | avg_duration                  | time                    |
+| --------------- | ----------------------------- | ----------------------- |
+| frontend        | [20ms, 18ms, 22ms, 19ms, ...] | [2025-09-29T08:00, ...] |
+| checkout        | [35ms, 40ms, 33ms, 37ms, ...] | [2025-09-29T08:00, ...] |
+
+The query produces array-encoded time series per service, which you can further process with `series_*` functions.
+
+</Tab>
+<Tab title="Security logs">
+
+You want to analyze the rate of HTTP 500 errors in your logs per minute.
+
+**Query**
+
+```kusto
+['sample-http-logs']
+| where status == '500'
+| make-series count() default=0 on _time from ago(30m) to now() step 1m
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B'sample-http-logs'%5D%20%7C%20where%20status%20%3D%3D%20'500'%20%7C%20make-series%20count()%20default%3D0%20on%20_time%20from%20ago(30m)%20to%20now()%20step%201m%22%7D)
+
+**Output**
+
+| count_       | _time                  |
+| ------------------------ | ---------------------- |
+| [1489, 1428, 1517, 1462, 1509, ...] | ["2025-09-30T09:08:14.921301725Z", "2025-09-30T09:09:14.921301725Z", ...] |
+
+The query generates a time series of HTTP 500 error counts as an array-based time series for further analysis with `series_*` functions.
+
+</Tab>
+</Tabs>
+
+## List of related operators
+
+- [extend](/apl/tabular-operators/extend-operator): Creates new calculated fields, often as preparation before `make-series`. Use `extend` when you want to preprocess data for time series analysis.
+- [mv-expand](/apl/tabular-operators/mv-expand): Expands arrays into multiple rows. Use `mv-expand` to work with the arrays returned by `make-series`.
+- [summarize](/apl/tabular-operators/summarize-operator): Aggregates rows into groups but does not generate continuous time bins. Use `summarize` when you want flexible grouping without forcing evenly spaced intervals.
+- [top](/apl/tabular-operators/top-operator): Returns the top rows by a specified expression, not time series. Use `top` when you want to focus on the most significant values instead of trends over time.
diff --git a/apl/tabular-operators/mv-expand.mdx b/apl/tabular-operators/mv-expand.mdx
@@ -0,0 +1,104 @@
+---
+title: mv-expand
+description: 'This page explains how to use the mv-expand operator in APL.'
+---
+
+The `mv-expand` operator expands dynamic arrays and property bags into multiple rows. Each element of the array or each property of the bag becomes its own row, while other columns are duplicated.  
+
+You use `mv-expand` when you want to analyze or filter individual values inside arrays or objects. This is especially useful when working with logs that include lists of values, OpenTelemetry traces that contain arrays of spans, or security events that group multiple attributes into one field.
+
+## For users of other query languages
+
+If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
+
+<AccordionGroup>
+<Accordion title="Splunk SPL users">
+
+In Splunk SPL, the `mvexpand` command expands multi-value fields into separate events. The APL `mv-expand` operator works in a very similar way, splitting array values into individual rows. The main difference is that APL explicitly works with dynamic arrays or property bags, while Splunk handles multi-value fields implicitly.
+
+<CodeGroup>
+```sql Splunk example
+... | mvexpand request_uri
+````
+
+```kusto APL equivalent
+['sample-http-logs']
+| mv-expand uri
+```
+
+</CodeGroup>
+
+</Accordion>
+<Accordion title="ANSI SQL users">
+
+In ANSI SQL, you use `CROSS JOIN UNNEST` or `CROSS APPLY` to flatten arrays into rows. In APL, `mv-expand` provides a simpler and more direct way to achieve the same result.
+
+<CodeGroup>
+```sql SQL example
+SELECT id, value
+FROM logs
+CROSS JOIN UNNEST(request_uris) AS t(value)
+```
+
+```kusto APL equivalent
+['sample-http-logs']
+| mv-expand uri
+```
+
+</CodeGroup>
+
+</Accordion>
+</AccordionGroup>
+
+## Usage
+
+### Syntax
+
+```kusto
+mv-expand [kind=(bag|array)] [with_itemindex=IndexFieldName] FieldName [to typeof(Typename)] [limit Rowlimit]
+```
+
+### Parameters
+
+| Parameter                        | Description                                                                            |
+| -------------------------------- | -------------------------------------------------------------------------------------- |
+| `kind`             | Optional. Specifies whether the column is a bag (object) or an array. Defaults to `array`. |
+| `with_itemindex=IndexFieldName` | Optional. Outputs an additional column with the zero-based index of the expanded item. |
+| `FieldName`                     | Required. The name of the column that contains an array or object to expand.           |
+| `to typeof(Typename)`            | Optional. Converts each expanded element to the specified type.                        |
+| `limit Rowlimit`                 | Optional. Limits the number of expanded rows per record.                               |
+
+### Returns
+
+The operator returns a table where each element of the expanded array or each property of the expanded object is placed in its own row. Other columns are duplicated for each expanded row.
+
+## Use case example
+
+When analyzing logs, some values can be stored as arrays. You can use `mv-expand` to expand them into individual rows for easier filtering.
+
+**Query**
+
+```kusto
+['sample-http-logs']
+| limit 100
+| mv-expand territories
+| summarize count = count() by territory_name = tostring(territories)
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B'sample-http-logs'%5D%20%7C%20limit%20100%20%7C%20mv-expand%20territories%20%7C%20summarize%20count%20%3D%20count()%20by%20territory_name%20%3D%20tostring(territories)%22%7D)
+
+**Output**
+
+| territory_name      | count |
+| ---------------- | ------- |
+| United States | 67     |
+| India         | 22     |
+| Japan         | 12     |
+
+This query expands the `territories` array into rows and counts the most frequent territories.
+
+## List of related operators
+
+- [project](/apl/tabular-operators/project-operator): Selects or computes columns. Use it when you want to reshape data, not expand arrays.
+- [summarize](/apl/tabular-operators/summarize-operator): Aggregates data across rows. Use it after expanding arrays to compute statistics.
+- [top](/apl/tabular-operators/top-operator): Returns the top N rows by expression. Use it after expansion to find the most frequent values.