https://community.splunk.com/t5/Security/Auditing-queries/m-p/167630#M4964 <P>Try this:</P> <PRE><CODE>index=_audit action=search search=* | table _time,user,search </CODE></PRE> <P>That should get you started...</P> Thu, 05 Dec 2013 19:49:19 GMT jtrucks 2013-12-05T19:49:19Z https://community.splunk.com/t5/Security/Auditing-queries/m-p/167629#M4963 <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0/Security/AuditSplunkactivity#Activities_that_generate_audit_events">This</A> link describes the events that can be audited in Splunk. I would also like to keep the audit trail of ALL the queries that a user runs after he/she logs in. Is that possible? How?</P> Thu, 05 Dec 2013 11:11:26 GMT https://community.splunk.com/t5/Security/Auditing-queries/m-p/167629#M4963 amanteja 2013-12-05T11:11:26Z https://community.splunk.com/t5/Security/Auditing-queries/m-p/167630#M4964 <P>Try this:</P> <PRE><CODE>index=_audit action=search search=* | table _time,user,search </CODE></PRE> <P>That should get you started...</P> Thu, 05 Dec 2013 19:49:19 GMT https://community.splunk.com/t5/Security/Auditing-queries/m-p/167630#M4964 jtrucks 2013-12-05T19:49:19Z