Searches are in the audit log. Saved searches will have a non-empty value in the savedsearch_name field. The user name is in the user field.
index=_audit action=search
| table user savedsearch_name search
This is not working at all, We will get all the searches running in splunk. because there is no keyword to identify whether search is savedsearch or Ad-hoc search or Reports.
As stated in my response, a saved search will have a non-empty value in the savedsearch_name field (keyword). If savedsearch_name="" then the search is ad-hoc.