https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458912#M170429 <P>Hi @asneed_eu </P> <P>Thanks for your replay. It seems to works but i can only see my username. Can't see other users.</P> Thu, 11 Jul 2019 07:18:31 GMT amirarsalan 2019-07-11T07:18:31Z https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458909#M170426 <P>Hi Everyone!</P> <P>I need some help to identify which user are running longest/bad searches. Sometimes splunk goes very slow and it indicate that someone running searches/jobs that is not god and I want to identify who it is and see the search string for that user.</P> <P>Someone that can help me with a query </P> Wed, 10 Jul 2019 13:37:51 GMT https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458909#M170426 amirarsalan 2019-07-10T13:37:51Z https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458910#M170427 <P>its out of the box with the MC (DMC)<BR /> search -&gt; activity -&gt; Search Usage Statistics: Deployment</P> Wed, 10 Jul 2019 14:05:43 GMT https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458910#M170427 adonio 2019-07-10T14:05:43Z https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458911#M170428 <P>The _audit index should have this information.</P> <P>This would show a list of searches sorted by execution time by user:</P> <PRE><CODE>index=_audit action="search" search=* NOT user="splunk-system-user" exec_time=* | table search total_run_time user | sort - total_run_time </CODE></PRE> <P>You could also look at which users have the longest running searches on average:</P> <PRE><CODE>index=_audit action="search" search=* NOT user="splunk-system-user" exec_time=* | stats avg(total_run_time) by user </CODE></PRE> Wed, 10 Jul 2019 14:06:14 GMT https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458911#M170428 asneed_eu 2019-07-10T14:06:14Z https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458912#M170429 <P>Hi @asneed_eu </P> <P>Thanks for your replay. It seems to works but i can only see my username. Can't see other users.</P> Thu, 11 Jul 2019 07:18:31 GMT https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458912#M170429 amirarsalan 2019-07-11T07:18:31Z https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458913#M170430 <P>Hi @adonio </P> <P>Is this in splunk-master? If it is then i can only see users that have access to splunk-master, and that is only 3 persons. </P> Thu, 11 Jul 2019 08:11:49 GMT https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458913#M170430 amirarsalan 2019-07-11T08:11:49Z https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458914#M170431 <P>Beside that I can't see the total_run_time and on the search field it's only "*"</P> Wed, 30 Sep 2020 01:13:06 GMT https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458914#M170431 amirarsalan 2020-09-30T01:13:06Z https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458915#M170432 <P>not the Cluster Master, its called Splunk Monitoring Console. <BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/DMC/DMCoverview">https://docs.splunk.com/Documentation/Splunk/7.3.0/DMC/DMCoverview</A><BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/DMC/Searchusagestatistics">https://docs.splunk.com/Documentation/Splunk/7.3.0/DMC/Searchusagestatistics</A></P> Thu, 11 Jul 2019 12:36:32 GMT https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458915#M170432 adonio 2019-07-11T12:36:32Z https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458916#M170433 <P>I can only see "Add Data" there is no Splunk Monitoring Console. I can only found it in master.<BR /> And i'm a admin user</P> Thu, 11 Jul 2019 12:55:20 GMT https://community.splunk.com/t5/Splunk-Search/identify-which-user-is-doing-longest-searches/m-p/458916#M170433 amirarsalan 2019-07-11T12:55:20Z