I tried to put it together with the document actions as mentioned, and the search did not work. I get the error mesage

Error in 'rex' command: Encountered the following error while compiling the regex '(?<service>EmployeeDocumentServicesImpl\.(?<document_action>listDocuments()|getDocumentPDF()|getDocument()[^\(]+)': Regex: missing )

The code i tried to execute is as follows:

index=doccloud_main sourcetype=doccloud_sb | rex "(?<service>EmployeeDocumentServicesImpl\.(?<document_action>listDocuments()|getDocumentPDF()|getDocument()[^\(]+)" | stats count by document_action

I should have tested his RegEx. This works:

documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)

I have updated my answer.

I was kind of wondering if I could tweak this further(graphically) so it displays each of the actions mentioned above on a day-to-day basis. For example, it would show a count of how many documents added, updated, downloaded, view, e.t.c daily.

Is that possible?

Yes, like this:

index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud.rs.services.(?[^.]+).(?[^(]+)" | timechart span=1d count by document_action

I get one giant bar of null when executing:

index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)" | timechart span=1d count by document_action

I think it just added everything into one bar

Did you run your search for more than 1 day? I told it to bucket by days. If you would like to run a shorter search and bucket by hours, switch span=1d to span=1h.

I tried for one day and for 30 days and get the same result. I want the total count of each action on a day to day basis for the past 30 days.

The problem is probably your scale; one of the values ( null ?) is so large that it drowns out the other bars. Change the Y-axis format from "linear" to "log" and you should see all the bars. If it is null that is killing you, you can strip it out like this:

 index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)" | where isnotnull(document_action) | timechart span=1d count by document_action

WORKS BETTER THAN A DREAM!

EXCELLENT!!!

@splunkman341, Your regex is invalid. ( and ) are part of the regex syntax used for group you have to escape them. I recommend that you visit http://www.regular-expressions.info. If you would like service checkout my update regex statement.