This will return a table of users who conducted searches, the total time it took for searches to complete, a count of said searches, and the last time a search was conducted.
*NOTE* You will need to modify “splunk_server=local” specifically the “local” section to represent your Splunk server.
index=_audit splunk_server=local action=search (id=* OR search_id=*) | eval search_id = if(isnull(search_id), id, search_id) | replace '*' with * in search_id | rex "search='search\s(?<search>.*?)',\sautojoin"| search search_id!=scheduler_* | convert num(total_run_time) | eval user = if(user="n/a", null(), user) | stats min(_time) as _time first(user) as user max(total_run_time) as total_run_time first(search) as search by search_id | search search!=*_internal* search!=*_audit* | chart sum(total_run_time) as "Total search time" count as "Search count" max(_time) as "Last use" by user | fieldformat "Last use" = strftime('Last use', "%F %T.%Q")
This is a great search but the auditlog is a bit of a nightmare, in large part because autokv is on, so terms in the SPL itself get extracted (and it gets ugly when one of them is “search” or “provenance”, etc)
I recommend checking out an app that we released recently called Sideview UI – specifically the view within that app called “user_activity”.
The app rolls up all the info from audit on both the info=”granted” side and the info=”completed” side, folds in the introspection data as well which is pretty signifciant AND sidesteps pretty thorny autokv problems in the audit data by re-extracting from a custom search command.
Then you get all of this data per search, but you also get stats and rollups by user, app, dashboard, even by sourcetypes-that-were-actually-searched
it also has a macro called “calculate pain” that will score a “pain” number for each search, and then sum up all the “pain” in the by-user, by-app, by-sourcetype rollups etc. So that admins can try and pick off the worst offenders first.
it’s up on SB here and approved for both Cloud and onprem – https://splunkbase.splunk.com/app/6449/
and there’s a #sideview_ui channel for it in the Splunk community slack.