Splunk internal fields contain general information about events and start from an underscore (i.e., _).

Splunk internal fields are indeed designed to contain general information about events, and they are characterized by starting with an underscore (_). This naming convention helps differentiate these internal fields from user-defined fields, enabling better organization and identification of the data. Common examples of these internal fields include _time, _raw, and _index, all of which play a crucial role in how Splunk processes and presents data. The consistent use of the underscore at the beginning of these field names is a standard across all Splunk deployments, making it recognizable and standardizing how users interact with Splunk's data model. Therefore, stating that Splunk internal fields start with an underscore is accurate and reflects a fundamental aspect of how Splunk operates.