Splunk uses default fields along with the individual event's raw data to correlate and identify common elements in the data on the fly at search time. This means there is no fixed schema, which makes searching with Splunk fast, easy, and flexible.
You can use forwarders to get data in, and you can use Splunk apps to get data in. Forwarders get data from remote machines and prepare it for indexing, for example, compressing data, buffering, and adding source, sourcetype, and host metadata. Universal forwarders do not parse data before forwarding it, and is the best way to forward data to indexers. Heavy forwarders parse data before forwarding it, and route data based on event contents.
At the indexer, Splunk breaks data into individual events (event line breaking), and identifies the basic attributes of each event in the form of default fields, then stores the events for searching. Splunk generates these default fields for each event that identify and describe the event's origin: