Splunk Core Certified User — Question 104

According to Splunk best practices, which placement of the wildcard results in the most efficient search?

Answer options

• A. f*il
• B. *fail
• C. fail*
• D. *fail*

Correct answer: C

Explanation

The correct answer, C (fail*), is efficient because the wildcard is positioned at the end of the term, allowing for a broader match without searching through all potential prefixes. Options A and B place the wildcard either at the start or in the middle, which can lead to less efficient searches as they require more processing. Option D, while it has the wildcard at the start, also results in a less efficient search compared to option C.