As our shared Splunk environment matures, we're trying to build in some checks to make sure everyone is being a good citizen and not running searches that can create large impacts to others.
On my checklist are the following:
I've been able to identify most of these by doing a recursive grep through the etc directory on the search head, looking for specific entries in savedsearches.conf. However, the process is somewhat clunky and I have a feeling there data is already somewhere in Splunk, I just don't know about it.
I don't want to start imposing restrictions on the roles level (yet), but at the very least I'd like to be able to set up an alert to myself and the other Splunk admins notifying us of when a user saves or schedules a possibly problematic search.
I have been using the Splunk On Splunk app for finding problematic searches, etc.. and it's been working great.