https://community.splunk.com/t5/Splunk-Search/Custom-calculated-Field-Extraction/m-p/62263#M15392 <P>I resolved this by using eventstats at search time. Assigned a unique ID at run-time.</P> Tue, 11 Aug 2015 06:04:36 GMT meenal901 2015-08-11T06:04:36Z https://community.splunk.com/t5/Splunk-Search/Custom-calculated-Field-Extraction/m-p/62259#M15388 <P>Hi,</P> <P>I have a data of the form:<BR /> Source,Date,Time<BR /> Source1,20120904,000000<BR /> Source3,20120904,000000<BR /> Source1,20120904,000000<BR /> Source4,20120904,000000<BR /> Source2,20120904,000000<BR /> Source3,20120904,000000<BR /> Source4,20120904,000000<BR /> Source2,20120904,000000</P> <P>When i upload this file, i want to sort is based on column "Source" and add a custom column called "Unique_ID" which will have value of time+1 for same Source. Effectively, the data should look like:</P> <P>Source,Date,Time<BR /> Source1,20120904,000001<BR /> Source1,20120904,000002<BR /> Source2,20120904,000001<BR /> Source2,20120904,000002<BR /> Source3,20120904,000001<BR /> Source3,20120904,000002<BR /> Source4,20120904,000001<BR /> Source4,20120904,000002</P> <P>What regex should be written to props.conf and transforms.conf to do the same?</P> Thu, 13 Dec 2012 11:11:16 GMT https://community.splunk.com/t5/Splunk-Search/Custom-calculated-Field-Extraction/m-p/62259#M15388 meenal901 2012-12-13T11:11:16Z https://community.splunk.com/t5/Splunk-Search/Custom-calculated-Field-Extraction/m-p/62260#M15389 <P>Regular expressions can neither sort nor count nor do maths. For that you need a more powerful language, such as a scripted input that does this work for you.</P> <P>What's the ultimate goal you're trying to achieve here?</P> Thu, 13 Dec 2012 14:29:29 GMT https://community.splunk.com/t5/Splunk-Search/Custom-calculated-Field-Extraction/m-p/62260#M15389 martin_mueller 2012-12-13T14:29:29Z https://community.splunk.com/t5/Splunk-Search/Custom-calculated-Field-Extraction/m-p/62261#M15390 <P>Yes i understand the limitation of regex. The data is in a bucket of 15 minutes. I need a way to co-relate events of a source with another. A unique key at the time of adding data. But couldn't find.</P> Fri, 14 Dec 2012 12:05:13 GMT https://community.splunk.com/t5/Splunk-Search/Custom-calculated-Field-Extraction/m-p/62261#M15390 meenal901 2012-12-14T12:05:13Z https://community.splunk.com/t5/Splunk-Search/Custom-calculated-Field-Extraction/m-p/62262#M15391 <P>You could use the <CODE>_indextime</CODE> field to check when events were indexed, and then use that (if I understood your scenario correctly).</P> Fri, 14 Dec 2012 12:43:17 GMT https://community.splunk.com/t5/Splunk-Search/Custom-calculated-Field-Extraction/m-p/62262#M15391 Ayn 2012-12-14T12:43:17Z https://community.splunk.com/t5/Splunk-Search/Custom-calculated-Field-Extraction/m-p/62263#M15392 <P>I resolved this by using eventstats at search time. Assigned a unique ID at run-time.</P> Tue, 11 Aug 2015 06:04:36 GMT https://community.splunk.com/t5/Splunk-Search/Custom-calculated-Field-Extraction/m-p/62263#M15392 meenal901 2015-08-11T06:04:36Z