I currently see the wineventlog:security as a source under my wineventlog index for the Splunk_TA_Windows app
and also under my main index.
Is it possible I am indexing this data twice?
Will Splunk ingest the same data if it is sent to two different indexes?
It is highly unlikely. Figure out what host
is sending, go to that host, and do this:
$SPLUNK_HOME btool list inputs --debug