All search-time field extractions should be specified on the search head. The search head is responsible for parsing and processing the search results, including field extractions at search time. The indexer primarily handles indexing and storing the data, while the deployment server manages configurations and app deployments, and the universal forwarder collects and sends data to the Splunk indexer.