I just want to construct a table for example:

Environment                   User Activity               Username

DEV                                        Logged IN                       systematics78

And I have sources from this environment but exactly with the same configuration

For example from Dev Environment I have log file with several rows like this

I log:187 10.161.2.165  some info

I log:587 Logged-In systematics78

For sandbox environment

I log:187 10.161.1.175  some info

I log:587 Logged-In systematics78

The logs name generated randomly on daily basis.. So I have just one info - ip address - based on that I can decide that User activity is related with for example DEV or Sandbox environment

So the main guest ion How I can create such report

index=_internal | head 1 | fields _raw
| eval _raw="I log:187 10.161.2.165  some info I log:587 Logged-In systematics78
I log:187 10.161.1.175  some info  I log:587 Logged-In systematics78"
| multikv noheader=t
| rex "(?<ip>\d+\.\d+\.\d+\.\d+)"
| rex "(?<UserActivity>Logged\S+)\s*(?<Username>\S+)"
| table ip UserActivity Username
```
| lookup ipaddress as ip OUTPUT Environment
```

Can I have more explanation what you exactly mean?

https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Lookup

A field with a description and a field with an IP address would be fine, I guess.

Actually the fields not the same.. for example

log: [I 2021-01-20 10:50:14.071 JupyterHub log:174] 302 GET / -> /jhub-test/hub/ (@10.161.10.174) 1.30ms

log: [I 2021-01-19 08:05:10.633 JupyterHub login:43] User logged out: systematics

This is from the same source - So based on first row I can decide that user logged off from app in QA environment..  

log: [I 2021-01-20 10:50:14.071 JupyterHub log:174] 302 GET / -> /jhub-test/hub/ (@10.161.10.174) 1.30ms

log: [I 2021-01-19 08:05:10.633 JupyterHub login:43] User logged out: systematics

It has good features. Pay attention here.

Also, I think it says ip in the source, so you can extract it from there.

Yes.. I know it.. I'm not so good on Splunk side.. that why I'm asking.. As I told i have more that 100+ such files as a source - some of them from different environment.. And I need just create dashboard and visualize users activities regarding with the environment.. I can construct this tables on segregated source.

Splunk can create new fields with regular expressions, and there's nothing wrong with that.
Use rex as in my example.

I have source from multiply environments - for example SandBox, Dev, QA etc.. with exact same configuration and need to segregate by environment - so need to filter source by searching ip address to identify the source relationship with environment and after use just that source with some events..