I use this one as a stacked column chart...
index=_internal sourcetype=splunkd source=*metrics.log group=search_concurrency user=* host=mysearchhead
| timechart avg(active_hist_searches) as "Historical Searches" avg(active_realtime_searches) as "Real-time Searches" by user useother=f limit=20