Use of the Restrict search terms feature on a role definition should be limited to the following:
index-time fields, using the indexed-field notation such as sourcetype::value
search strings, such as "type=t1" or "type=\"t1\"", as opposed to search-time fields like type=t1 or type="t1"
combinations of the above using OR, AND, or NOT
I have only found index to be the only indexed field where you don't need the indexed-field notation, where as default fields like host, source, and sourcetype can take on a user-defined calculated field.
As a user, you can easily spot if your searches are being filtered using this method by running a search, such as index=*, and click Job > Inspect Job, click Search job properties, and identify potential search-time fields within remoteSearch.
... View more