In the Search App there is a dashboard showing:
Today's Usage by User
Yesterday's Usage by User
Last 7 days Usage by User
The dashboard is located under Status > Search activity > User activity.
Is this what you are looking for?
To make this work on a distirbuted search head I believe you'll have to modify the actual search. The searches which drive these dashboard panels are located in $SPLUNK_HOME/etc/apps/search/default/data/ui/views/search_user_activity.xml. Examine the first search:
`audit_searchlocal` | `audit_rexsearch` | search search_id!=scheduler_* | convert num(total_run_time) | eval user = if(user="n/a", null(), user) | stats min(_time) as _time first(user) as user max(total_run_time) as total_run_time first(search) as search by search_id | search search=search* search!=*_internal* search!=*_audit* | chart median(total_run_time) as "Median search time" perc95(total_run_time) as "95th Percentile search time" sum(total_run_time) as "Total search time" count as "Search count" by user
This search references 2 macros defined in $SPLUNK_HOME/etc/apps/search/default/macros.conf.
[audit_searchlocal(1)]
args = filter
definition = search splunk_server=local index=_audit action=search (id=* OR search_id=*) | eval search_id = if(isnull(search_id), id, search_id) | replace '*' with * in search_id | search $filter$
[audit_rexsearch]
definition = rex "search='(?<search>.*?)', autojoin"
You can see in the audit_searchlocal macro, the local splunk server is the only one queried, probably why you are not seeing any results when running this on a distributed search head. Try removing "splunk_server=local" and see if you get any results.
... View more
