I had a similar issue but with a newer version, at the end it turned out to be that there is a parameter in estreamer.conf called batchsize, to control the size of log batches sent to indexers, so if you have intrusion events enabled and batchsize is set to 100, then you have to wait until you have 100 intrusions events to see them on Splunk :).
to disable this feature:
"batchSize": 1
ref.
https://www.cisco.com/c/en/us/td/docs/security/firepower/630/api/eStreamer_enCore/eStreamereNcoreSplunkOperationsGuide_354.html
... View more