Splunk Query Count by users

index=_audit search=* NOT (search_id='scheduler* OR search_id='Summary*) user=admin | timechart span=1d count by user usenull=f

Share This:
Tagged: