A security analyst needs to find all events where the field 'user' has a value that is either 'admin' or 'root', but the search is returning too many results from a noisy source. Which search best filters the events to only include those where the 'user' field exactly matches 'admin' or 'root'?
Trap 1: user="admin" OR user="root"
Quotes are not needed for field-value matching and do not enforce exact match.
Trap 2: user=*admin* OR user=*root*
Wildcards match substrings, not exact values.
Trap 3: user=admin OR user=root
This would match any event where user contains 'admin' or 'root', leading to false positives like 'admin1'.
- A
user="admin" OR user="root"
Why wrong: Quotes are not needed for field-value matching and do not enforce exact match.
- B
user=*admin* OR user=*root*
Why wrong: Wildcards match substrings, not exact values.
- C
user IN ("admin", "root")
The IN operator matches fields exactly against the listed values, avoiding substring issues.
- D
user=admin OR user=root
Why wrong: This would match any event where user contains 'admin' or 'root', leading to false positives like 'admin1'.