I have been looking into usage metrics for my companys Splunk deployment with the aim of analysing users searches and discovering how we can improve use of the system - such as by optimising their searches and reducing the number of concurrent searches they run.
I have been using the 'Search Activity by User' dashboard in the Search app and can identify users that are running concurrent searches and how many they are running, however I can't seem to see what those searches are. Is this possible and if so how do I go about this?
In the top right of your Splunk GUI you should see a link labeled "Jobs". [Manager | Alerts | Jobs | Logout]
This should take you to a view (if you have admin rights) that will show you all of the jobs that have been run, by user, app, time, amongst other useful data. I do have S.o.S. app installed on my Splunk instance, and can't remember if this feature is connected in any way to that app or comes standard.
Hope this helps.
You can use the S.o.S app search dashboard for details on the searches per user.
All the details are in the audit.log or in the scheduler.log
(index=_audit action=search ) OR ( index=_internal source=*scheduler.log* )