Splunk Enterprise Security Certified Analyst — Question 85

In which of the following scenarios is a subsearch the most appropriate?

Answer options

• A. When joining results from multiple indexes.
• B. When dynamically filtering hosts.
• C. When filtering indexed fields.
• D. When joining multiple large datasets.

Correct answer: B

Explanation

A subsearch is ideal for dynamically filtering hosts because it allows you to generate a list of hosts from the results of another search. The other options involve static joins or filtering operations that do not benefit from the dynamic nature of subsearches.