as dkeck statet splunk is not really good in logging itself.
I tried to apply the following search as an alert on my instances. This search should find only those events where the | delete command was used.
index=_* "*delete*" | where (user!="" AND method="DELETE" AND q!="") | append [search index=_internal root="servicesNS" method="DELETE" | eval q=""] | where NOT like(_raw, "%runshellscript%") | eval deltype=if(q="","Existing Object","Indexed Data") | eval delobject=if(q="",file,q) | sort -_time | table _time index user method deltype delobject _raw | rename user AS User_Name method AS Action deltype AS Type delobject AS "What got deleted?" _raw AS Payload
sadly splunk is not good in logging itself.
Try to find the same event in index=internal sourcetype=splunkdaccess OR sourcetype=splunkuiaccess
If you are lucky you can see, which data was deleted by whom.
127.0.0.1 - admin [25/Apr/2016:08:34:01.912 +0200] "DELETE /servicesNS/admin/search/saved/eventtypes/test-eventype1 HTTP/1.0" 200 1936 - - - 2ms
First of all, thank you for your prompt reply. Unfortunately both indexes suggested above did not return any data.
We're used sourcetype=audittrail to get the list of XMLs deleted however the user value shown is "n/a" which is most probably referring to a job which was automatically run by the system.
Would be a nice thing to have it this would be the case, but as said splunk is not good in logging itself.
I made the experience that often, even with a name-user the user field value will be n/a. There is a user for system operations called "splunk-system-user". Often times you can only figure out that something happend but not who did it...its inconvenient but true.