Enable alerts and reports on real-time searches seen in the internal audit index.
The following search presents the real-time searches from the audit index:
index=_audit action=search info=granted search=* NOT ("search_id='scheduler" OR "search='|history" OR "user=splunk-system-user" OR "search='typeahead" OR "search='| metadata type=* | search totalCount>0" OR "| metadata type=sourcetypes | search totalCount > 0" ) "search_id='rt_*"
| table _time user host info savedsearch_name search search_id
Nice. In alerts for splunk admins https://splunkbase.splunk.com/app/3796/
I have a few searches to look for bad practices or all time searches in dashboards or similar...FYI