Splunk Enterprise Security Certified Analyst — Question 33

How could a role in which all users must specify an index=clause in all searches be configured?

Answer options

• A. Set the authorize.conf setting: srchIndexesDefault to no value.
• B. Set the authorize.conf setting: srchFilter to no value.
• C. Set the authorize.conf setting: srchIndexesAllowed to no value.
• D. Set the authorize.conf setting: srchJobsQuota to no value.

Correct answer: A

Explanation

The correct answer is A because setting srchIndexesDefault to no value requires users to specify an index in their searches. The other options do not enforce this requirement and either relate to filtering or quotas, which do not affect the necessity of the index clause.