You can see the "delete" activity from the auditlog (so inside the splunk search window type - index=_audit sourcetype=audittrail delete). This will show you all the delete activity. This will also provide you with a search_id. You can locate this search id within the sourcetype="splunk_web_access" within the _internal index. For example: index=_internal sourcetype="splunk_web_access sid= . This will produce the actual web access log that executed the delete command. Providing for you, the IP address and the username.
Hopefully this helps.
... View more