I need some help to identify which user are running longest/bad searches. Sometimes splunk goes very slow and it indicate that someone running searches/jobs that is not god and I want to identify who it is and see the search string for that user.
Someone that can help me with a query
The _audit index should have this information.
This would show a list of searches sorted by execution time by user:
index=_audit action="search" search=* NOT user="splunk-system-user" exec_time=* | table search total_run_time user | sort - total_run_time
You could also look at which users have the longest running searches on average:
index=_audit action="search" search=* NOT user="splunk-system-user" exec_time=* | stats avg(total_run_time) by user
not the Cluster Master, its called Splunk Monitoring Console.