I have been looking into usage metrics for my companys Splunk deployment with the aim of analysing users searches and discovering how we can improve use of the system - such as by optimising their searches and reducing the number of concurrent searches they run.
I have been using the 'Search Activity by User' dashboard in the Search app and can identify users that are running concurrent searches and how many they are running, however I can't seem to see what those searches are. Is this possible and if so how do I go about this?
In the top right of your Splunk GUI you should see a link labeled "Jobs". [Manager | Alerts | Jobs | Logout]
This should take you to a view (if you have admin rights) that will show you all of the jobs that have been run, by user, app, time, amongst other useful data. I do have S.o.S. app installed on my Splunk instance, and can't remember if this feature is connected in any way to that app or comes standard.