I had a test_index index created where I was sending all test data. However, out of nowwhere, today I see all data gone from it.
How can I find out which user messed up with this index ?
There is no object field anywhere in the data for:
index=_audit user=* action=indexes_edit
This is even with searching against the last 90 days. Why is that?
With that, I only got one result same as the first in your screenshot - Operation=create. I am suspecting someone ran splunk clean eventdata -index test_index on cli.
Is there anyway to find user who executed this command ?
Thanks.