Fields are the building blocks of searches, reports, and data models in Splunk Enterprise. When you run a search on your event data, Splunk Enterprise looks for fields in that data.
Splunk automatically extracts fields - at least the default fields which are host,source,sourcetype. If the auto extracted fields are not enough for you to perform a search effectevely, you have to extract fields manually either at index time or at search time ( Field Extraction )
To use the power of Splunk Enterprise search, create additional field extractions. Custom field extractions allow you to capture and track information that is important to your needs, but which is not automatically discovered and extracted by Splunk Enterprise. Any field extraction configuration you provide must include a regular expression that tells Splunk Enterprise how to find the field that you want to extract.
All field extractions, including custom field extractions, are tied to a specific source, sourcetype, or host value. For example, if you create an ip field extraction, you might tie the extraction configuration for ip to sourcetype=access_combined.
Custom field extractions should take place at search time, but in certain rare circumstances you can arrange for some custom field extractions to take place at index time
Refer :
http://docs.splunk.com/Documentation/Splunk/6.0.7/SearchTutorial/Usefieldstosearch
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Aboutfields
Happy Splunking!
