Explanation/Reference: https://answers.splunk.com/answers/653427/fillnull-doesnt-work-without-specfying-a-field.html

Reference:https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Definesearchmacros The macro definition below shows a macro that tracks user sessions based on two arguments: action and JSESSIONID.
sessiontracker(2)
The macro definition does the following:
It specifies the name of the macro as sessiontracker. This is the name that will be used to execute the macro in a search string.
It specifies the number of arguments for the macro as 2. This indicates that the macro takes two arguments when it is executed.
It specifies the code for the macro asindex=main sourcetype=access_combined_wcookie action=$action$ JSESSIONID=$JSESSIONID$ | stats count by JSESSIONID. This is the search string that will be run when the macro is executed. The search string can contain any part of a search, such as search terms, commands, arguments, etc. The search string can also include variables for the arguments using dollar signs around them.
In this case, action and JSESSIONID are variables for the arguments that will be replaced by their values when the macro is executed.
Therefore, to correctly configure the macro, you should enter sessiontracker as the name and action, JSESSIONID as the arguments. Alternatively, you can use sessiontracker(2) as the name and leave the arguments blank.

Explanation
The transaction command is used to group events into transactions based on some common characteristics, such as fields, time, or both. The transaction command can also specify start and end constraints for the transactions, such as a field value that indicates the beginning or the end of a transaction. The stats command is used to calculate summary statistics on the events, such as count, sum, average, etc. The stats command cannot group events based on start and end constraints, but only on fields or time buckets. Therefore, the transaction command should be used instead of the stats command when you need to group events based on start and end constraints.

When performing an outer join in Splunk using the | join employeeNumber type=outer command, it combines the rows from both tables based on the employeeNumber field. An outer join returns all rows from both tables, with matching rows from both sides where available. If there is no match, the result is NULL on the side of the join where there is no match.
In the provided tables, there are five rows in the first table and three in the second. Since it's an outer join, all rows from both tables will be returned. This means the new table will have a total of eight rows, combining the matched rows and the unmatched rows from both tables.
References:
* Splunk Documentation on the join command.
* Splunk Community discussions on the usage of join and types of joins.

In this search, count will appear on the y-axis2. This search uses the chart command to create a chart of the
count of events over host for events that have status not equal to 2002. The chart command creates a table with
one column for each value of the field after the over clause and one row for each value of the field after the by
clause (if any)2. The values in the table are calculated by applying the function before the over clause to the
events in each group2. In this case, the chart command creates a table with one column for each host and one
row for the count of events for each host. The y-axis of the chart shows the values of the count function
applied to each host. Therefore, option C is correct, while options A and B are incorrect because they appear
on the x-axis or as labels of the chart.