I created an alert with this SPL( index=_audit action=edit OR action=create OR action=delete OR action=change| stats count by user, action ) but i am receiving email when admin trigger, but in that email i don't see any information about who trigger and what he trigger, can any one help me out of this.
You need to modify the actions of the email alert.
One thing I found helpful was to do something like this to threshold on the number of errors but still see the original events
stats values(_raw) AS raw count as errors | where errors > *threshold* | table errors raw | mvexpand raw
is that a syntax