In a deployment with multiple indexes, what will happen when a search is run and an index is not specified in the search string?
In a deployment with multiple indexes, what will happen when a search is run and an index is not specified in the search string?
In a deployment with multiple indexes, if an index is not specified in the search string, events from every index searched by default to which the user has access will be returned. This is because Splunk applies default settings that include searching through all available indexes the user has permission to access unless specified otherwise.
D is correct pag 42 Splunk applies defaults if not specified
Just tested this and it returned all results from indexes I had access to. Answer is D.
D is correct it will take default index if not specified
D is correct
Answer is A. Splunk will not return any events.
Page 42 of the PDF says, Splunk applies default if not specified. So D is accurate
I have 2 indexes in my test deployment. (Splunk enterprise) 9.1.0.2. By running a simple search with the word "error" or a sourcetype specified does not return any event. To me it's A
Splunk Cloud, version 9. Tried a search putting a sourcetype before, then one with only a word after, without telling the index: I got result. So for me D is the correct one.
A. Splunk 9 returns no event
Using Splunk 8.1.1, when I don’t specify an index, I don’t get results. I’ve created two new indexes, both which contain data, but neither are searched by default.
In order to establish new indexes as “default”, edit the Role > Indexes, check the indexes to be made default.
Because you only have one index in your Lab. Try to create a test Index and then search. It will search both the test and default index
In my lab with splunk 8, when I don't specify any index param it only brings me data from the default index "main". So I'm confused with this one? any other tests?
Is the assumption that you have access to all/remaining Indexes?