Splunk Core Certified User — Question 13

Which of the following index searches would provide the most efficient search performance?

Answer options

• A. index=*
• B. index=web OR index=s*
• C. (index=web OR index=sales)
• D. *index=sales AND index=web*

Correct answer: C

Explanation

Option C is the most efficient because it specifically restricts the search to the relevant indices, minimizing the search scope. In contrast, option A searches all indices, which is less efficient, while option B and D include broader or unnecessary search parameters that can slow down performance.