The splunk and syslog-ng manifests are intended to be used together. The syslog-ng and splunk services depend on a FIFO existing at /var/log/splunk-syslog. In my environment I have syslog-ng accepting syslog messages, filtering them, and writing to the FIFO and splunk reading from it. You may remove this dependency if you wish.
I also have splunk binding to 127.0.0.1 with an environment variable being set in the manifest. Remove the following from the manifest if you wish to have splunk directly accessible:
<envvar name="SPLUNK_BINDIP" value="127.0.0.1"/>
I do this to limit access to the splunk admininstrator interface via an apache reverse proxy. The apache configuration snippet to achieve this is included below. Add apache Allow statements to those who you trust to access the administrator interface.
# Reverse Proxy for splunk listening on localhost:8000
Allow from all
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
# Don't allow access to /admin/ which allows people to upload log files
# and tail any file on the server.
Deny from all
# Add allow statements here
Update: Here are the same ISC dhcpd, splunk and syslog-ng manifests now hosted in my new Google Code repo. I expect these to be more up to date than the opensolaris.org hosted copies.