Auditing queries

Path Finder

This link describes the events that can be audited in Splunk. I would also like to keep the audit trail of ALL the queries that a user runs after he/she logs in. Is that possible? How?

Splunk Employee
Splunk Employee

Try this:

index=_audit action=search search=* | table _time,user,search

That should get you started...