This can get you started (minus the IP thing)
index=_audit host=CCFS-SH2 action=search user!=splunk-system-user search_id=* (info=granted OR info=completed) |rex field=apiStartTime "'(?<start_time>[^']+)'" |rex field=apiEndTime "'(?<end_time>[^']+)'" | eval search_id = trim(if(isnull(search_id), id, search_id), "'") | eval run_time_min=round(total_run_time/60,2) |eval range=if(start_time=="ZERO_TIME","All Time", tostring(strptime(end_time, "%a %b %d %H:%M:%S %Y") - strptime(start_time, "%a %b %d %H:%M:%S %Y"),"duration"))
The ip is key - trying to find out where some of these searches are coming from...