Tag your incoming alert data as unified2 to take advantage of these field extractions.
sourcetype = unified2
Note: This TA is used for parsing Unified2 "alert" logs currently. Support for packet logging and true unified logging are to come
Reference for Unified2: https://www.snort.org/faq/readme-unified2
Also, check us out on splunkbase : https://splunkbase.splunk.com/app/4823/