The better way of writing search query for index is:
The better way of writing search query for index is:
The correct way of writing a search query to include results from multiple indexes is to use the logical operator OR between the indexes. This ensures that the search query returns results that are present in either of the specified indexes. Therefore, the form (index=a OR index=b) is the appropriate choice.
Could someone point out where this is documented please.
https://github.com/subbukandula/Splunk/blob/master/Splunk%206.X%20Fundamentals%20Part%201%20(eLearning).pdf
A does not make sense according to me. Because I think that data cannot be in 2 indexes at a time. Hence A will return no results.
Hence B remains the only plausible answer.
B is correct, page 92