What does Splunk do when it indexes events?

When Splunk indexes events, it extracts metadata fields such as host, source, and source type from the raw data. These fields are used to identify and categorize the events, and to enable efficient searching and filtering. Splunk also assigns a unique identifier (_cd) and a timestamp (_time) to each event. Splunk does not extract the top 10 fields, perform parsing, merging, and typing processes on universal forwarders, or create report acceleration summaries during indexing. These are separate processes that occur either before or after indexing. Therefore, the correct answer is B. Extracts metadata fields such as host, source, source type. References:

Splunk Core Certified Consultant Test Blueprint

Splunk Documentation: How Splunk Enterprise indexes data

Splunk Documentation: About default fields