I have a need to pull all the users and the files/sourcetype or queries they ran to export data out of splunk
I found one query but that doesnt tell me what query they ran
index=_internal file=export | fields file user uri_path | table file user uri_path
This may help.
index=_audit sourcetype="searchactivity:searchhistory" WasExported=yes