The Splunk Common Information Model (CIM) Add-on is a foundational component for many Splunk apps, providing a common framework for data normalization and field extraction. This add-on includes a set of pre-configured data models that are essential for consistent reporting, searching, and correlation across various types of data. These data models help standardize field names and event structures, ensuring that data from disparate sources can be queried in a uniform way. While the CIM Add-on facilitates the use of standardized sourcetypes and supports data validation, the primary feature it offers is the set of pre-configured data models which are crucial for maintaining consistency across different datasets.

Reference:https://answers.splunk.com/answers/574643/field-showing-an-additional-and-not-visible-value-1.
html
To use a macro in a search, you must enclose the macro name and any arguments in single quotation marks1.
For example, 'my_macro(arg1,arg2)' is a valid way to use a macro with two arguments. You can use macros anywhere in your search string where you would normally use a search command or expression1. Therefore, options A and C are valid searches that use macros, while options B and D are invalid because they do not enclose the macros in single quotation marks.

The tag=Priv* search will return events containing a tag named Privileged, as well as any other tag that starts with Priv. The asterisk (*) is a wildcard character that matches zero or more characters. The other searches will not match the exact tag name.

Reference: https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/FXSelectMethodstep The Field Extractor (FX) is a tool that helps you extract fields from your data using delimiters or regular expressions. Delimiters are characters or strings that separate fields in your data. The FX can detect some common delimiters automatically, such as pipes (|), spaces ( ), commas (,), semicolons (;), etc. The FX cannot detect tabs (\t) as delimiters automatically, but you can specify them manually in the FX interface.