I am the administrator for a medium Splunk infrastructure
my manager came this morning and asked.
can you run a report of what users are being logged into Splunk and what searches have ran?
what of our different indexes and datasources are they being looked at?
is this possible?
You can find Splunk logged Users in -audit index running a search like this
index=_audit "action=login attempt"
Instead you can find infomation abour runned searches on _internal
index=_internal "search=" index
and then extract sourcetype and index fields.
Remember that in this way you find only searches where index and sourcetypes are in the search, if you have eventtypes (I usually do it!) you have to search also eventtypes.