Learn how Splunk determines the effective search filter when a user is assigned multiple roles with different srchFilter settings. Understand how role-based search filters are combined in Splunk.
Table of Contents
Question
A user is assigned two roles with the following search filters. What is the user’s applied search filter?
[role_A] srchFilterSelecting = true srchFilter = sourcetype!=json AND index=main [role_B] srchFilterSelecting = true srchFilter = sourcetype=csv
A. srchFilter = ((sourcetype=csv) AND (sourcetype!=json AND index=main))
B. srchFilter = ((sourcetype=csv) OR (sourcetype!=json AND index=main))
C. srchFilter = sourcetype!=json AND index=main
D. srchFilter = sourcetype=csv
Answer
B. srchFilter = ((sourcetype=csv) OR (sourcetype!=json AND index=main))
Explanation
When a Splunk user is assigned multiple roles, each with its own search filter (srchFilter), Splunk combines the filters using a logical OR operation. This means that the user’s effective search filter will include events that match any of the individual role filters.
In this case, the user is assigned two roles:
- role_A has the filter: sourcetype!=json AND index=main
- role_B has the filter: sourcetype=csv
When these filters are combined with a logical OR, the resulting applied search filter is:
srchFilter = ((sourcetype=csv) OR (sourcetype!=json AND index=main))
This filter will include events that either have:
- sourcetype=csv, OR
- sourcetype!=json AND index=main
Therefore, the correct answer is option B. The user’s effective search filter is the result of combining the individual role filters using a logical OR operation.
Splunk SPLK-1003 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Splunk SPLK-1003 exam and earn Splunk SPLK-1003 certification.