I got an answer from Splunk support. It turns out that duplication is expected behavior.
Chad,
Unfortunately, there is no solution to
the duplicated events. With the
"useACK" functionality, there's times
where the forwarder doesn't get the
ack message after the indexer has
written the event to the log. This is
expected behavior.
Brian
Here is the results of Splunk support's test:
24460 Messages Sent
24444 Messages received by the forwarder (tcpdump)
25276 Messages received by the indexer
832 Duplicated messages
... View more