I'm assuming that you're using an apex role to inherit both role_a and role_b. In this case, you can do a search (as admin) like | rest /services/authorization/roles/role_APEX and look at the imported search filters. If you're not using an apex role, and simply assigning a user both roles simultaneously, I think it's going to be a lot harder to debug. There's not a way that I know of to ask "what would the final filter be?" if you're not using an apex role. You're left trying to intuit what Splunk has implemented on your behalf by testing searches over and over. It may be that one inheritance is actually trumping another, perhaps even down to the name of the role (a coming before b, etc).
I'd approach the problem by setting up an apex role (inheriting from both inferior roles) and then setting an explicit search filter on that role, e.g. (index=_internal OR index=_audit) OR (index=* (ConfigVersionId=86 (Address=*))) . It's ugly, but you'd be sure of what the filter is.
... View more