Splunk Core Certified User — Question 87

Which of the following searches would return events with failure in index netfw or warn or critical in index netops?

Answer options

• A. (index=netfw failure) AND index=netops warn OR critical
• B. (index=netfw failure) OR (index=netops (warn OR critical))
• C. (index=netfw failure) AND (index=netops (warn OR critical))
• D. (index=netfw failure) OR index=netops OR (warn OR critical)

Correct answer: B

Explanation

Option B is correct because it uses the OR operator properly to capture all events that have failure in the netfw index or either warn or critical in the netops index. The other options misplace the AND and OR operators, which could lead to incorrect results by either excluding relevant events or combining conditions inappropriately.