This Splunk query should show which users attempted to modify an index and if that action was successful: