Alright here is the issue. When my inputs.conf looks like this I get data in from Snort.
[udp://516]
connection_host = ip
index = security
However, when I add this line, nothing comes in.
[udp://516]
connection_host = ip
index = security
sourcetype = snort
Any ideas?
You should grep through /opt/splunk and look for "snort". I suspect there is a props.conf somewhere (maybe in app "learned") that also has directives for sourcetype "snort" that is doing things that you are not expecting.
How are you determining that "nothing comes in" ie: what search and timerange did you use ?