Do events come in near realtime for you? I'm running into an issue where events are very delayed getting to Splunk.
I've setup a correlation rule on the FMC to email me when there is an IPS event. In Splunk I run a report every 30 minutes to search for IPS events past 4 hours from the estreamer host and email me the results. Based on the time I get the email from the FMC and when the events finally show up in the report it takes anywhere from 1.5 to 2 hours before triggered IPS events show up in Splunk.
I've been working with TAC on this for a couple months and haven't found the issue. I've uninstalled Splunk and the TA-eStreamer App at least twice with the similar results.
My version of Splunk, FMC, and eNcore app are as follows: