I'd like to create an auditing like dashboard panel that shows the user, the name of the correlated rule, the action (creation, deletion, edit, enable/disable). I have looked around in the
_* indexes and can't find it. Can someone point me in the right direction?
Did you try :
|rest /servicesNS/-/-/saved/searches splunk_server=local
This would show the owner, search, description, status etc.. and you can choose the fields that are of interest to you.