The following splunk queries will display any file access attempts (successful or failed) by user account.
Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/
Windows 2003 and older:
sourcetype="WinEventLog:Security" EventCode=560 Object_Type=File | eval Date=strftime(_time, "%Y/%m/%d") |eval UserName=coalesce(Primary_User_Name, Client_User_Name)| search UserName!="*$" AND UserName!="NETWORK SERVICE"| stats count by Date, Image_File_Name, UserName, Type, host | sort - Date
Windows 2008 and newer:
sourcetype="WinEventLog:Security" EventCode=4656 Object_Type=File (Security_ID!="NT AUTHORITY*") (Security_ID!="S-*")| eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, Account_Name, Process_Name, Keywords, host