I've got it working now and will post an answer so people searching for the same issue can find it, but I'm not really happy with it - seems like a fudge. I'd like to know what people think: is this intended behaviour? Is there a better fix? Is this a mistake by Splunk, or by the people who wrote the distro or configured my server (it's running Oracle Linux Server 7), or potentially a mistake I made installing the module (if I recall correctly it was just a case of, as root, extracting the archive then running python setup.py install)?
The fact I had to do the chmod I think points to a server config issue, probably the umask, but the second issue seems very strange. So root was looking inside setuptools-0.9.8-py2.7.egg-info whereas other users weren't. I have no idea why this would be.