Download and install Snort 3 JSON Alerts
Download and install Cybercheft App (to covert the b64_data fields into readable text)
To tell Splunk where the log files are stored that Snort 3 generated so Splunk can ingest them.
sudo mkdir /opt/splunk/etc/apps/TA_Snort3_json/local
sudo touch /opt/splunk/etc/apps/TA_Snort3_json/local/inputs.conf
sudo nano /opt/splunk/etc/apps/TA_Snort3_json/local/inputs.conf
Enter the following configs into this inputs.conf file
[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json
Restart the Splunk so when it starts, it will scan the /var/log/snort directory for json files, assign them sourcetype of "snort3:alert:json", and ingest them so we can search them.
cd /opt/splunk/bin/
./splunk restart