I'd like to create an auditing like dashboard panel that shows the user, the name of the correlated rule, the action (creation, deletion, edit, enable/disable). I have looked around in the _*
indexes and can't find it. Can someone point me in the right direction?
Did you try :
|rest /servicesNS/-/-/saved/searches splunk_server=local
This would show the owner, search, description, status etc.. and you can choose the fields that are of interest to you.
Did you search for _audit index?
Also you can use this app:
https://splunkbase.splunk.com/app/4144/
+1 on this app! @DEAD_BEEF you could grab the search from the app and use it to suit your needs as well.