Splunk event actions When reviewing Splunk logs, you can rapidly create security events and security incidents from any item in the log using the Event Actions. Clicking either of these will create a manual search command populated with the data in the log entry, and run it to generate the new record. These actions are very easily configured to add fields in your normalized data. Within Splunk, using Settings > Fields > Workflow Actions, you can select and edit either of these actions using the manual search fields. You can choose where the action is shown, for what fields, and modify the search string that contains a search command to create your new record.