SPLK-1003 • Practice Test 28
Free SPLK-1003 practice test — 15 questions with explanations. Set 28. No signup required.
A Splunk user wants to correlate events from different sourcetypes (web_access, app_log) that belong to the same user session identified by session_id. The events should be grouped only if they occur within 30 minutes of each other, and each transaction should contain at least one event from each sourcetype. Which SPL construct should they use?