Why does mvexpand X remove events with X=NULL? As simple as that. It's illogical from my perspective, unless it's on purpose.
Either way of behaving makes some sense but, IMHO the way that it actually work makes more sense than the other.
Either way it could have worked, could easily be converted to the other.
In this case, just do this:
... | eval X = coalesce(X, "ImpossibleValueToDropLater") | mvexpand X | eval X = if(X="ImpossibleValueToDropLater", null(), X)
You're the best! Thanks. I decided to write less code but convert null values to strings, as posted in https://answers.splunk.com/answers/548304/mvexpand-gives-less-results.html:
eval username=coalesce(username,"") | mvexpand username