https://community.splunk.com/t5/Splunk-Search/Finding-searches-for-a-user/m-p/51605#M12497 <P>Tried index=_* AND index=* sourcetype=searches over 24 hours . 0 results.</P> Wed, 06 Mar 2013 14:21:33 GMT rmorlen 2013-03-06T14:21:33Z https://community.splunk.com/t5/Splunk-Search/Finding-searches-for-a-user/m-p/51603#M12495 <P>Pre-Splunk 5 I could find a list of searches for a user by doing something like:</P> <P>index=_internal sourcetype=searches username</P> <P>What is the Splunk 5 equivalent?</P> <P>How about getting a count of all searches run for a day?</P> Tue, 05 Mar 2013 14:40:23 GMT https://community.splunk.com/t5/Splunk-Search/Finding-searches-for-a-user/m-p/51603#M12495 rmorlen 2013-03-05T14:40:23Z https://community.splunk.com/t5/Splunk-Search/Finding-searches-for-a-user/m-p/51604#M12496 <P>take a look in look in index=_audit</P> <P>[edit]<BR /> it's not as simple <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>you may want to take a look at the SOS app, it has nice dashboards on the search usage (for ad-hoc searches and scheduled searches)</P> <P># ad-hoc searches look in the _audit</P> <P><CODE>index=_audit action=search (id=* OR search_id=*) | eval search_id = if(isnull(search_id), id, search_id) | replace '*' with * in search_id | rex "search='(?&lt;search&gt;.*?)', autojoin" | search search_id!=scheduler_* | convert num(total_run_time) | eval user = if(user="n/a", null(), user) | stats min(_time) as _time first(user) as user max(total_run_time) as total_run_time first(search) as search by search_id | search search=search* search!=*_internal* search!=*_audit* | chart median(total_run_time) as "Median search time" perc95(total_run_time) as "95th Percentile search time" sum(total_run_time) as "Total search time" count as "Search count" max(_time) as "Last use" by user | fieldformat "Last use" = strftime('Last use', "%F %T.%Q %:z")</CODE></P> <P># scheduled searches you can look in the _internal index</P> <P><CODE>index=_internal source=*scheduler.log*<BR /> | stats min(run_time) as "Min runtime (seconds)", median(run_time) as median_runtime, max(run_time) as max_runtime, count(eval(status!="continued")) AS total_exec, count(eval(status=="success")) as "Successful executions", count(eval(status=="skipped")) AS "Skipped executions" by app, savedsearch_name, user<BR /> </CODE></P> Tue, 05 Mar 2013 15:43:15 GMT https://community.splunk.com/t5/Splunk-Search/Finding-searches-for-a-user/m-p/51604#M12496 yannK 2013-03-05T15:43:15Z https://community.splunk.com/t5/Splunk-Search/Finding-searches-for-a-user/m-p/51605#M12497 <P>Tried index=_* AND index=* sourcetype=searches over 24 hours . 0 results.</P> Wed, 06 Mar 2013 14:21:33 GMT https://community.splunk.com/t5/Splunk-Search/Finding-searches-for-a-user/m-p/51605#M12497 rmorlen 2013-03-06T14:21:33Z https://community.splunk.com/t5/Splunk-Search/Finding-searches-for-a-user/m-p/51606#M12498 <P>Thank you for this</P> Fri, 01 Apr 2016 13:06:48 GMT https://community.splunk.com/t5/Splunk-Search/Finding-searches-for-a-user/m-p/51606#M12498 rsathish47 2016-04-01T13:06:48Z