I've got an issue where a significant portion of my ingested Log4Net_xml sourcetype logs have duplicate events. I'm currently using a file monitor on a Ubuntu 16.04 LTS, Splunk 7.3.0 machine with a local Monitor stanza to ingest the logs which looks like this:

[monitor:///mnt/CALogs/.../*.log]
disabled = 0
host_segment = 4
index = ca
sourcetype = log4net_xml
#initCrcLength = 1024 # Tried this, it started reindexing all the log file.

Our Log4Net configs looks like this:

<appender name="RollingFile" type="log4net.Appender.RollingFileAppender">
               <file type="log4net.Util.PatternString" value="\\server1\ca\Logs\Application\%property{log4net:HostName}\Application.log" />
               <appendToFile value="true" />
               <rollingStyle value="Size" />
               <maximumFileSize value="5MB" />
               <staticLogFileName value="true" />
               <maxSizeRollBackups value="10" />
               <layout type="log4net.Layout.XMLLayout" />
          </appender>

I have that directory mounted over SMB/CIFS with the following entry in fstab:

//server1/LogsCA /mnt/CALogs cifs username=user,password=Password,domain=somedomain.dev,sec=ntlm 0 0

Can anybody spot what I'm doing wrong?

Here's a picture of the search that I'm using to estimate duplicates: