https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-extract-fields-which-is-separated/m-p/667719#M229063 <P>John:x:/home/John:/bin/bash&nbsp;</P><P>&nbsp;</P><P>is there a way to extract the field from above with colon separated. &nbsp;We have many users in the above format from /etc/passwd&nbsp;<BR /><BR /></P><P>John - username&nbsp;</P><P>x - passwd&nbsp;</P><P>/home/John - path&nbsp;</P> Tue, 07 Nov 2023 17:53:17 GMT Hema_Nithya 2023-11-07T17:53:17Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-extract-fields-which-is-separated/m-p/667719#M229063 <P>John:x:/home/John:/bin/bash&nbsp;</P><P>&nbsp;</P><P>is there a way to extract the field from above with colon separated. &nbsp;We have many users in the above format from /etc/passwd&nbsp;<BR /><BR /></P><P>John - username&nbsp;</P><P>x - passwd&nbsp;</P><P>/home/John - path&nbsp;</P> Tue, 07 Nov 2023 17:53:17 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-extract-fields-which-is-separated/m-p/667719#M229063 Hema_Nithya 2023-11-07T17:53:17Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-extract-fields-which-is-separated/m-p/667722#M229065 <LI-CODE lang="markup">| rex "(?&lt;username&gt;[^:]+):(?&lt;passwd&gt;[^:]+):(?&lt;path&gt;[^:]+)"</LI-CODE> Tue, 07 Nov 2023 18:19:09 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-extract-fields-which-is-separated/m-p/667722#M229065 ITWhisperer 2023-11-07T18:19:09Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-extract-fields-which-is-separated/m-p/667736#M229072 <P>Thank you , let me check and update you !&nbsp;</P> Tue, 07 Nov 2023 19:16:57 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-extract-fields-which-is-separated/m-p/667736#M229072 Hema_Nithya 2023-11-07T19:16:57Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-extract-fields-which-is-separated/m-p/669976#M229720 <P>How to deal with the empty fields between . Example there is empty field between passwd and after home directory&nbsp;</P><P>userid:passwd: :/home/John: :&nbsp;</P> Tue, 28 Nov 2023 07:51:46 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-extract-fields-which-is-separated/m-p/669976#M229720 Hema_Nithya 2023-11-28T07:51:46Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-extract-fields-which-is-separated/m-p/669991#M229728 <LI-CODE lang="markup">| rex "(?&lt;username&gt;[^:]*):(?&lt;passwd&gt;[^:]*):(?&lt;path&gt;[^:]*)"</LI-CODE> Tue, 28 Nov 2023 09:21:45 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-extract-fields-which-is-separated/m-p/669991#M229728 ITWhisperer 2023-11-28T09:21:45Z