This link describes the events that can be audited in Splunk. I would also like to keep the audit trail of ALL the queries that a user runs after he/she logs in. Is that possible? How?
index=_audit action=search search=* | table _time,user,search
That should get you started...