Ever wonder how your search performance is across search heads? Try this query.

Depending on your environment you’ll want to specify the host=* section to better represent your environment. Say if you have a naming convention that includes “shc” and a number representing searchheads in a cluster (distributed environment) you can use (host=shc1.fq.dn OR host=shc2.fq.dn OR host=shc3.fq.dn) or perhaps use wildcards like (host=”shc*”).

index=_audit sourcetype=audittrail action=search total_run_time=* host=* | dedup search_id | eval runtime=if(isnum(total_run_time), total_run_time, "null") | where runtime!="null" | timechart span=15m avg(runtime) as "Average Run Time" by host limit=0