Are default fields added to every event in Splunk at INDEX time?

Default fields in Splunk, such as host, source, and sourcetype, are added at the time of indexation, but they are derived from the event data during the indexing process, rather than being set automatically for every event. When data is ingested, Splunk parses the events and applies the appropriate metadata based on the type of data being indexed.

For example, the host field typically reflects the originating host of the data, the source field indicates the specific source of the data (like a log file), and the sourcetype represents the type of data format (like syslog or JSON). These fields depend on how the input data is configured and the context in which the events are being indexed.

Thus, the assertion that default fields are added to every event at index time is somewhat misleading because it emphasizes that they are universally preset rather than created based on the specific characteristics of each event during parsing.