We are having an issue with duplicative JSON fields coming from Duo (the 2FA provider) events. Our senario seems to be a bit different than what others are encountering though. When searching within the Duo app (https://splunkbase.splunk.com/app/3504/), there is no duplication. However, when searching within any other app (default Searching and Reporting, other custom apps, etc.), we are seeing the duplication of fields.
We are using Splunk Cloud, so we do not have backend access to our search head or indexers, but we can change anything that can be configured in the web interface. We do have backend access to the heavy forwarders.
The Duo app is installed on one such heavy forwarder that recieves the events via API. Since the app seems to be working, our initial thought was to apply the app's default props.conf to all other apps by copying it to /opt/splunk/etc/system/local. Playing with the settings here, we can see that it does have an effect, but the default settings didn't solve the issue.