Hi Everyone, We do have an application accessible for some authorized users. We want to monitor the users activity for security reason. For this purpose i will need use log information stored in Splunk. I have been trying to generate report using Splunk search query to retrieve the fields and data that i need for my report. I have some basic fields like Index, host sourcetype.... but it is not sufficient enough to provide me with the data that i want. I learned that i should use some expression.I am complete begginer for Splunk and knows very little about Splunk Processing Language. I'd appreciate any help with some generic Splunk query. Below is the report requirements: User Enrollment Log Provides record of all changes made to user enrollments for the day The report shows the full details of each user enrollment before (for changed and deleted enrollments) and/or after (for new and changed enrollments) maintenance Group (Role) Function Definition Report Provides record of all changes made to function definitions for the day The report shows the full details of each function definition before (for changed and deleted definitions) and after (for new and changed definitions) maintenance 3.User Activity Log  Chronological list of all activities for each user   The information on the report identifies the nature of the activity, the date and time the activity occurred, and whether a permissions violation occurred  ... View more