Heavy Forwarder is installed to acquire Azure AD logs. Add-on uses the following. Splunk Add-on for Microsoft Office 365 Please tell me the following description of the above Add-on troubleshooting. It is a recognition that duplicate log capture may occur, What are the conditions under which duplicate logs occur?
Not quite sure as to what exactly are you asking, but the condition when the logs get duplicated are:
1. Two inputs querying the same eventhub or graph API to get the same sets of logs.
2. Using additional add ons like MS Azure Add on along with to query the O365 Add on to get the logs.
3. Getting rid of the the last saved checkpoint, which then makes the add on read everything from the scratch as per the timeline of how far are you looking for logs while setting up the add on.