All data and apps from our distributed architecture suddenly got deleted, including indexes and other configurations.
Anyone faced this issue before? Any way to check how this happened?
If you're running on linux, then you can look into Audit logs of the system under /var/log/audit. Splunk has it's own audit logs too, so you can look them up as well under /var/log/splunk/audit.log. These, couple with the knowledge of who logged in to your system, during the time when the data went missing by analyzing /var/log secure logs, you may begin your investigation.