Hi everyone,
I have the following issue: within a search and a data field I find values like this:
db2_stat = "1,3:8"
db2_stat = "2,5:7"
My issue now is this should be translated into a comma separated list of all values starting with the value on the left side of the colon, ending with the value on the right side. In other words: the resulting data field should look like this:
db2_stat_xlated = "1,3,4,5,6,7,8"
db2_stat_xlated = "2,5,6,7"
I thought, I'd write a macro that calls recursively until the start value reaches end value. But whatever I've tried I ended up with the message
"Error in 'SearchParser': Reached maximum recursion depth (100) while expanding macros. Check for infinitely recursive macro definitions.".
Last version of the macro code
| eval st_v = $start_v$, ed_v = $end_v$, value_list = $val$
| eval nx_v = st_v + 1
| eval value_list = case(st_v < ed_v, value_list . st_v . "," . `GEN_VALUE_LIST(nx_v, ed_v, value_list)`,
st_v == ed_v, value_list . st_v,
1==1, value_list)
The macro definition
GEN_VALUE_LIST(3) with these arguments
start_v, end_v, val
Query to test
| makeresults
`GEN_VALUE_LIST(3,6,"1,")`
| table *
Although I'm keen to understand SPLUNK's issue with it (code transferred to perl language works) I'd mostly appreciate a working solution beyond defining all possible list values in a lookup file 🙂
Many thanks in advance,
Ekke
