index=_audit action=search search=* user!=splunk-system-user provenance!=scheduler | table _time user search host total_run_time result_count | sort - _time
0 comments
index=_internal earliest=-5m latest=now sourcetype=splunk_web_access user!="internal_monitoring" user!="-" | stats count by user | fields - count
0 comments