The underlying issue with the question is that anomalies are relative to something... your particular users, your particular data, your particular applications, your particular seasonality, and so on.
In some companies, accessing a production database on a night or a weekend would be an anomaly. Others, FAILURE to access the database would be an anomaly.
Splunk has lots of features for detecting and analyzing unusual or interesting events.
The first step is to get the logs into splunk. Then, ask a question about access patterns, pull the relevant data, and get yourself a simple answer. Repeat, repeat, repeat.
Whenever you find the answer is not simple, or the data is not understandable, then post some non-confidential details about the issue in a new question and we will help you figure out how to think about the data you have, or how to reorganize it to make sense.
But the first step is acquiring a feed from the audit logs themselves, and getting them into splunk (or any other awesome tool) so that they can be examined.
Splunk does not have "modules" - instead there are "apps." Most apps are free, and you can find them at http://splunkbase.splunk.com
There are several free apps that help you ingest and analyze database logs.
There is also the Splunk App for Enterprise Security, which does a whole lot more than that, but is not free. Here is a fact sheet for the Splunk App for Enterprise Security.