I'm still new to this so bear with me but couldn't you do something along the lines of:
(index=_internal sourcetype=splunkd_ui_access q!="") OR ( index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT
"search='typeahead" NOT "search='| metadata type=* | search totalCount>0")
| rex field=uri_query "display.page.search.mode=(?[^&]+)"
| stats count by user search _time | sort _time | convert ctime(_time)
| stats list(_time) as Time list(search) as Searches by user
| table _time host user q search_mode
| eval query=urldecode(q)
| where (search_mode="verbose") AND (user!="-")
| stats values(host) as hosts last(query) as query count(user) as "# of verbose searches" by user
| rename query as "Recent Verbose Search"
| fields user hosts "# of verbose searches" "Recent Verbose Search"
| sort - "# of verbose searches"