Hi wtian,
Splunk will keep track of once indexed files in the _fishbucket
index. the command splunk clean eventdata
does clean it, but if you forward your data using a universal forwarder Splunk still knows about that the data was already indexed. Therefore you must clean the _fishbucket
index using the same command on the universal forwarder as well.
hope this helps ...
cheers, MuS