By Recently we had an issue where our snort logs stopped appearing in Splunk despite working fine for many months. After some digging I found that if you are outputting the log in alert_fast format, Splunk may not index the data due to the timestamp format not having the year, for example 11/04-11:44:29.049638.
The fix for this is to run snort with the -y argument which includes the year in the timestamp, 11/04/15-11:44:29.049638.
For us this seemed to happen after ntpd was updated on the snort server, but that may have just been coincidence.