This will return a table of users who conducted searches, the total time it took for searches to complete, a count of said searches, and the last time a search was conducted. *NOTE* You will need to modify “splunk_server=local” specifically the “local” section to represent your Splunk server. index=_audit splunk_server=local action=search (id=* OR search_id=*) | […]
