I have used this
index=_audit action="login attempt" "info=succeeded" | stats count by action , user , _time | timechart span=1d count by user
But all the users get put into the same bucket.
this shows you the actions by user and IP
index=_internal sourcetype=splunkd_ui_access | stats count by clientip , user , _time | eval UserIP=user+" - "+clientip | timechart span=1d count by UserIP