Index Modifications _internal john117 0 1 This Splunk query should show which users attempted to modify an index and if that action was successful: index=_audit user=* action=indexes_edit | stats count by index info user action 1 index=_audit user=* action=indexes_edit | stats count by index info user action Share This: Tagged: _auditadmininternalsplunk on splunk