Which Splunk functionality allows running investigative searches across multiple data models?

The correct answer is Data Model Acceleration. This functionality enables faster and more efficient searches across data models by pre-computing and storing the results of searches. When multiple data models are used, Data Model Acceleration can drastically reduce the time required to run investigative searches, particularly on large datasets. It allows users to leverage the power of Splunk's data architecture, creating optimized summaries of events based on specific criteria defined within the data models. This capability is particularly beneficial in a security context, where rapid analysis across various data sources is essential for timely incident response and threat detection.

Other options do not provide this specific functionality. Event Correlation focuses on identifying relationships between different events rather than facilitating cross-model searches. Real-time Processing pertains to handling and analyzing data as it arrives rather than on historical or aggregated datasets. Log Aggregation deals with collecting and centralizing log data from various sources, but it does not inherently support running searches across data models like Data Model Acceleration does.