I couldn't find documentation of _audit to that level of information.
But if your aim is to find execution time and alerting, the best is to use DMC

DMC -> Search -> Activity -> Search Usage Statistics: Deployment -> Long running Queries

A sample query which you can run in instance having DMC is like below and you can easily put alerts on them

`dmc_audit_get_searches_for_groups(*)`       | stats min(_time) as _time, values(user) as user, max(total_run_time) as total_run_time, first(search) as search, first(search_type) as search_type, first(apiStartTime) as apiStartTime, first(apiEndTime) as apiEndTime by search_id, host       | where isnotnull(search) AND search_type="ad hoc" |             search user="*" search="*"             | eval earliest = case(like(apiStartTime, "%ZERO_TIME%") AND like(apiEndTime, "%ZERO_TIME%"), "all time", like(apiStartTime, "%ZERO_TIME%"), "-", 1 == 1, apiStartTime )             | eval latest = case(like(apiStartTime, "%ZERO_TIME%") AND like(apiEndTime, "%ZERO_TIME%"), "all time", like(apiEndTime, "%ZERO_TIME%"), "-", 1 == 1, apiEndTime )              | `dmc_time_format(_time)`             | stats max(total_run_time) as total_run_time by search, _time, earliest, latest, search_type, user, host, search_id             | sort - total_run_time              | eval total_run_time = `dmc_convert_runtime(total_run_time)`             | eval total_run_time = if(isnotnull(total_run_time), total_run_time, "-")             | fields search, total_run_time, _time, earliest, latest, search_type, user, host, search_id             | rename search as "Report Name/Search String", total_run_time as "Search Runtime", _time as "Search Start", earliest as "Earliest Time", latest as "Latest Time", search_type as Type, user as "User", host as "Host", search_id as SID