you can find the Splunk restart via GUI in _internal using a simple search like this:
result will be something like this where admin is the user that launched the command:
127.0.0.1 - admin [23/Mar/2020:13:54:43.703 +0100] "GET /services/messages/restart_required HTTP/1.0" 404 159 - - - 1ms
For the restart via CLI, the only way is to read the history files on Linux and search for the command
To have the user that used the CLI command, you have to take the Linux logs of history.
If you see in the SplunkTAnix App there's in input.conf the configuration to take these logs and to see the user that executed:
### bash history [monitor:///root/.bash_history] disabled = 0 sourcetype = bash_history index = os [monitor:///home/.../.bash_history] disabled = 0 sourcetype = bash_history index = os
The folder before .bash_history is the username of the user that launched the CLI command.
if on linux - additionally you can try to correlate the output of the "last" command, which lists all linux users with corresponed login and logout times, with the time when the "./splunk restart" command was issues. That will not work if you have several simultaniously logged users. I think you need TA_nix Addon to get this info.
On Windows you need to check security log to get similar information (using Addon for Windows)