Splunk Query Count by users _internal databeastmaster Vote Up +0 Vote Down -0You already voted! index=_audit search=* NOT (search_id='scheduler* OR search_id='Summary*) user=admin | timechart span=1d count by user usenull=f Share This: Tagged: _audit