I'm trying to get my snort data to splunk. I've installed the universalfowarder on the snort box,

monitoring /var/log/snort/snort.log

Here is some information from the Forwarder

etc/system/inputs.conf

[monitor:///var/log/snort/snort.log]

host = snort

sourcetype=snort_alert_full

etc/system/outputs.conf

[tcpout]

defaultGroup = 10.1.57.198_9514

disabled = false

[tcpout:10.1.57.198_9514]

server = 10.1.57.198:9514

[tcpout-server://10.1.57.198:9514]

netstat -a

tcp 0 0 snort.ntwk:59892 10.1.57.198:9514 ESTABLISHED

metrics.log

04-26-2011 11:48:05.026 -0700 INFO Metrics - group=tcpout_connections, index:10.1.57.198:9514:0, sourcePort=8089, destIp=10.1.57.198, destPort=9514, _tcp_Bps=587.97, _tcp_KBps=0.57, _tcp_avg_thruput=0.58, _tcp_Kprocessed=1461, _tcp_eps=0.70

Here is some information from the Receiver

/etc/apps/SplunkforSnort/local/inputs.conf

[splunktcp://9514]

sourcetype = snort

connection_host = dns

metrics.log

04-26-2011 11:48:33.427 -0700 INFO Metrics - group=tcpin_connections, 10.1.57.8:59891:9514,
connectionType=cooked, sourcePort=59891, sourceHost=snort.ntwk, sourceIp=10.1.57.8,
destPort=9514, _tcp_Bps=585.45, _tcp_KBps=0.57, _tcp_avg_thruput=0.56, kb=17.72, _tcp_Kprocessed=1401.00, _tcp_eps=0.74, build=98164, version=4.2.1, os=Linux, arch=i686, hostname=snort, guid=63421A46-231F-414F-A119-5D1482F5F32C, fwdType=uf, ssl=false, lastIndexer=10.1.57.198:9514, ack=false

But I'm not seeing anything in Splunk Web Search. Any help would be really appreciated. Thanks for looking.