As titled, the following Splunk search query will show the restart duration (using the transaction command) of the Splunk service itself.

index=_audit (action="splunkShuttingDown" OR action="splunkStarting") | eval Date=strftime(_time, "%Y/%m/%d") | transaction splunk_server startswith=action="splunkShuttingDown" endswith=action="splunkStarting" | eval duration=round(duration/60, 2) |table Date splunk_server duration| rename duration as "Splunk Restart Duration" splunk_server as "Splunk Server"