You could check field extractions in new Splunk Cisco Security Suite. There is a field "context" being added which is not extracted by Splunk Cisco IPS version 1.0.4. So, you either have a choice to delete this field from inline search in "ips_overview" view and disable appropriate panel in the dashboard, or to extract this field from your current IPS logs (if you have this field).
... View more
Performance depends on comparative load of indexer/search head and how your searches are designed. General recommendations you could find below:
http://docs.splunk.com/Documentation/Splunk/5.0.1/Search/Realtimeperformanceandlimitations
... View more
You have to contact Splunk Support to split a single Splunk license on two independent ones. Then you could be able to manage two licenses separately.
... View more