We have a very similar issue on OPSEC LEA 4.2.0 and Splunk Core 6.6.0.
Actually, events are logged 13 times and this is obviously destroying our licenses. An easy query to detect the issue is:
sourcetype=opsec*|stats count, dc(_raw) as dedup by host|eval ratio=count/dedup
Strange thing is that a couple of weeks ago, events were indexed 9 times and now 13 times, which means that things get worse over time. Restarting splunk, resetting/recreating OPSEC inputs did not help either.
We have an open case with Splunk...
... View more