Splunk Query Count by users

• _internal
• databeastmaster
• 0 0

index=_audit search=* NOT (search_id='scheduler* OR search_id='Summary*) user=admin | timechart span=1d count by user usenull=f

1	index=_audit search=* NOT (search_id='scheduler* OR search_id='Summary*) user=admin | timechart span=1d count by user usenull=f

Share This:

Tagged: _audit

Related Queries

Identifying Hosts not sending data for more than 6 hours

Datamodel Search Performance

Data Usage for Indexer and Forwarders