The correct answer is C. By enclosing the macro name in backtick characters (`).
A macro is a way to reuse a piece of SPL code in different searches. A macro can take arguments, which are
variables that can be replaced by different values when the macro is called.A macro can also contain another
macro within it, which is called a nested macro1.
To reference a macro in a search, you need to enclose the macro name in backtick characters (). For example,
if you have a macro namedmy_macro` that takes one argument, you can reference it in a search by using the
following syntax:
|my_macro(argument)| ...
This will replace the macro name and argument with the SPL code contained in the macro definition. For
example, if the macro definition is:
[my_macro(argument)] search sourcetype=$argument$
And you reference it in a search with:
index=main |my_macro(web)| stats count by host
This will expand the macro and run the following SPL code:
index=main | search sourcetype=web | stats count by host
References:
Use search macros in searches

Explanation/Reference: https://www.edureka.co/blog/splunk-events-event-types-and-tags/

Explanation
The correct answer is C. When events contain unstructured data.
The regular expression method works best with unstructured event data, such as log files or text messages, where the fields are not separated by a common delimiter, such as a comma or space1. You select a sample event and highlight one or more fields to extract from that event, and the field extractor generates a regular expression that matches similar events in your dataset and extracts the fields from them1. The regular expression method provides several tools for testing and refining the accuracy of the regular expression. It also allows you to manually edit the regular expression1.
The delimiters method is designed for structured event data: data from files with headers, where all of the fields in the events are separated by a common delimiter, such as a comma or space1. You select a sample event, identify the delimiter, and then rename the fields that the field extractor finds1. This method is simpler and faster than the regular expression method, but it may not work well with complex or irregular data formats1.
Reference:
1: Build field extractions with the field extractor - Splunk Documentation