The following Splunk query is for the DBConnect app.  This will return all user activity using this particular app. I’ve provided the regex in the search.

index=_audit sourcetype=audittrail action="db_connect*" |eval Date=strftime(_time, "%Y/%d/%m") |rex "user=(?<user>\S+)," | stats count by Date, user, info, action