The correct answer is A. chart, timechart, stats, eventstats.
Transforming commands are commands that change the format of the search results into a table or a chart.
They can be used to perform statistical calculations, create visualizations, or manipulate data in various ways1.
Transactions are groups of events that share some common values and are related in some way. Transactions can be defined by using the transaction command or by creating a transaction type in the transactiontypes.conf file2.
Some transforming commands can be used with transactions to create tables or charts based on the transaction fields. These commands include:
* chart: This command creates a table or a chart that shows the relationship between two or more fields. It can be used to aggregate values, count occurrences, or calculate statistics3.
* timechart: This command creates a table or a chart that shows how a field changes over time. It can be used to plot trends, patterns, or outliers4.
* stats: This command calculates summary statistics on the fields in the search results, such as count, sum, average, etc. It can be used to group and aggregate data by one or more fields5.
* eventstats: This command calculates summary statistics on the fields in the search results, similar to stats, but it also adds the results to each event as new fields. It can be used to compare events with the overall statistics.
These commands can be applied to transactions by using the transaction fields as arguments. For example, if you have a transaction type named "login" that groups events based on the user field and has fields such as duration and eventcount, you can use the following commands with transactions:
* | chart count by user : This command creates a table or a chart that shows how many transactions each user has.
* | timechart span=1h avg(duration) by user : This command creates a table or a chart that shows the average duration of transactions for each user per hour.
* | stats sum(eventcount) as total_events by user : This command creates a table that shows the total number of events for each user across all transactions.
* | eventstats avg(duration) as avg_duration : This command adds a new field named avg_duration to each transaction that shows the average duration of all transactions.
The other options are not valid because they include commands that are not transforming commands or cannot be used with transactions. These commands are:
* diff: This command compares two search results and shows the differences between them. It is not a transforming command and it does not work with transactions.
* datamodel: This command retrieves data from a data model, which is a way to organize and categorize data in Splunk. It is not a transforming command and it does not work with transactions.
* pivot: This command creates a pivot report, which is a way to analyze data from a data model using a graphical interface. It is not a transforming command and it does not work with transactions.
References:
* About transforming commands
* About transactions
* chart command overview
* timechart command overview
* stats command overview
* [eventstats command overview]
* [diff command overview]
* [datamodel command overview]
* [pivot command overview]

Reference: https://docs.splunk.com/Documentation/SplunkLight/7.3.5/GettingStarted/Designdatamodelobjects A root event dataset is the base dataset for a data model that defines the source or sources of the data and the constraints and fields that apply to the data1. A root event dataset has two parts: constraints and fields1. Constraints are filters that limit the data to a specific index, source, sourcetype, host or search string1. Fields are the attributes that describe the data and can be extracted, calculated or looked up1.
Therefore, option C is correct, while options A, B and D are incorrect.

Selected fields are fields that you choose to display in your search results by clicking on them in the Fields sidebar or by using the fields command2. Selected fields are displayed below each event in the search results, along with their values2. Therefore, option A is correct, while options B, C and D are incorrect because they are not places where selected fields are displayed.

The correct answer is C. A macro is a portion of a search that can be reused in multiple places.
A macro is a way to reuse a piece of SPL code in different searches. A macro can be any part of a search, such as an eval statement or a search term, and does not need to be a complete command. A macro can also take arguments, which are variables that can be replaced by different values when the macro is called. A macro can also contain another macro within it, which is called a nested macro1.
To create a macro, you need to define its name, definition, arguments, and description in the Settings > Advanced Search > Search Macros page in Splunk Web or in the macros.conf file. To use a macro in a search, you need to enclose the macro name in backtick characters (`) and provide values for the arguments if any1.
For example, if you have a macro named my_macro that takes one argument named object and has the following definition:
search sourcetype= object
You can use it in a search by writing:
my_macro(web)
This will expand the macro and run the following SPL code:
search sourcetype=web
The benefits of using macros are that they can simplify complex searches, reduce errors, improve readability, and promote consistency1.
The other options are not correct because they describe other types of knowledge objects in Splunk, not macros. These objects are:
* A. An event type is a method of categorizing events based on a search. An event type assigns a label to events that match a specific search criteria. Event types can be used to filter and group events, create alerts, or generate reports2.
* B. A field alias is a way to associate an additional (new) name with an existing field name. A field alias can be used to normalize fields from different sources that have different names but represent the same data. Field aliases can also be used to rename fields for clarity or convenience3.
* D. An alert is a knowledge object that enables you to schedule searches for specific events and trigger actions when certain conditions are met. An alert can be used to monitor your data for anomalies, errors, or other patterns of interest and notify you or others when they occur4.
References:
* About event types
* About field aliases
* About alerts
* Define search macros in Settings
* Use search macros in searches

The correct answer is C. Events where values of field A are equal to values of field B.
The where command is used to filter the search results based on an expression that evaluates to true or false.
The where command can compare two fields, two values, or a field and a value. The where command can also use functions, operators, and wildcards to create complex expressions1.
The syntax for the where command is:
| where <expression>
The expression can be a comparison, a calculation, a logical operation, or a combination of these. The expression must evaluate to true or false for each event.
To compare two fields with the where command, you need to use the field names without any quotation marks. For example, if you want to find events where the values for the field A match the values for the field B, you can use the following syntax:
| where A=B
This will return only the events where the two fields have the same value.
The other options are not correct because they use different syntax or fields that are not related to the where command. These options are:
* A. Events that contain the string value where A=B: This option uses the string value where A=B as a search term, which is not valid syntax for the where command. This option will return events that have the literal text "where A=B" in them.
* B. Events that contain the string value A=B: This option uses the string value A=B as a search term, which is not valid syntax for the where command. This option will return events that have the literal text
"A=B" in them.
* D. Events where field A contains the string value B: This option uses quotation marks around the value B, which is not valid syntax for comparing fields with the where command. Quotation marks are used to enclose phrases or exact matches in a search2. This option will return events where the field A contains the string value "B".
References:
* where command usage
* Search command cheatsheet