Splunk primarily extracts fields from event data at search time, although certain fields, such as default fields (host, source, sourcetype), are extracted at index time. However, the majority of field extractions happen during search time to allow for more flexible and dynamic searches.