##1

(search_id!="rsa_*" action=search host=* index=_audit sourcetype=audittrail NOT user=cmon_user NOT user=internal_monitoring NOT user=ops_admin (host=sh*.*splunk*.* OR host=si*.*splunk*.*) (host=sh*.*splunk*.* OR host=si*.*splunk*.*)) 
| eval user=if((user == "n/a"),null(),user), search_type=case(match(search_id,"^SummaryDirector_"),"summarization",match(savedsearch_name,"^_ACCELERATE_"),"acceleration",match(search_id,"^((rt_)?scheduler_|alertsmanager_)"),"scheduled",match(search_id,"\\d{10}\\.\\d+(_[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})?$"),"ad hoc",true(),"other"), search=if((isnull(savedsearch_name) OR (savedsearch_name == "")),search,savedsearch_name) 
| stats min(_time) as _time, values(user) as user, values(_time) as time, values(info) as info, max(total_run_time) as total_run_time, first(search) as search, first(search_type) as search_type, first(apiStartTime) as apiStartTime, first(apiEndTime) as apiEndTime by search_id, host 
| search (host=* (host=sh*.*splunk*.* OR host=si*.*splunk*.*)) 
| where (true() AND isnotnull(search)) 
| stats dc(user) as count_user, dc(host) as count_host, median(total_run_time) as median_runtime, sum(total_run_time) as cum_runtime, count(search) as count, max(_time) as last_use by search_type 
| eval median_runtime=if(isnotnull(median_runtime),median_runtime,"-"), cum_runtime=if(isnotnull(cum_runtime),cum_runtime,"-"), last_use=strftime(last_use,"%m/%d/%Y %H:%M:%S %z") 
| fields + search_type, count, median_runtime, search_type, cum_runtime, last_use 
| sort - count 
| rename count_host as "Search Head Count", count as "Search Count", median_runtime as "Median Runtime", cum_runtime as "Cumulative Runtime", last_use as "Last Search", user as User, host as Host, search_type as "Search Type", count_user as "User Count"

##2 - search name/report name

(search_id!="rsa_*" action=search host=* index=_audit sourcetype=audittrail NOT user=cmon_user NOT user=internal_monitoring NOT user=ops_admin (host=sh*.*splunk*.* OR host=si*.*splunk*.*)) 
| eval user=if((user == "n/a"),null(),user), search_type=case(match(search_id,"^SummaryDirector_"),"summarization",match(savedsearch_name,"^_ACCELERATE_"),"acceleration",match(search_id,"^((rt_)?scheduler_|alertsmanager_)"),"scheduled",match(search_id,"\\d{10}\\.\\d+(_[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})?$"),"ad hoc",true(),"other"), search=if((isnull(savedsearch_name) OR (savedsearch_name == "")),search,savedsearch_name) 
| stats min(_time) as _time, values(user) as user, values(_time) as time, values(info) as info, max(total_run_time) as total_run_time, first(search) as search, first(search_type) as search_type, first(apiStartTime) as apiStartTime, first(apiEndTime) as apiEndTime by search_id, host 
| search (host=* search="*" user="*") 
| where (true() AND isnotnull(search)) 
| eval earliest=case((like(apiStartTime,"%ZERO_TIME%") AND like(apiEndTime,"%ZERO_TIME%")),"all time",like(apiStartTime,"%ZERO_TIME%"),"-",true(),apiStartTime), latest=case((like(apiStartTime,"%ZERO_TIME%") AND like(apiEndTime,"%ZERO_TIME%")),"all time",like(apiEndTime,"%ZERO_TIME%"),"-",true(),apiEndTime), _time=strftime('_time',"%m/%d/%Y %H:%M:%S %z") 
| stats max(total_run_time) as total_run_time by search, _time, earliest, latest, search_type, user, host, search_id 
| where (total_run_time >= 0) 
| sort - total_run_time 
| fields + search, total_run_time, _time, earliest, latest, search_type, user, host, search_id 
| rename search as "Report Name/Search String", total_run_time as "Search Runtime", _time as "Search Start", earliest as "Earliest Time", latest as "Latest Time", search_type as "Search Type", user as User, host as Host, search_id as SID