I have seen a lot of similar Questions/Solutions with this aggravating issue, none of which are working.

Trying to pull RabbitMQ API (JSON) data into Splunk. Bash script creates /opt/data/rabbitmq-queues.json

curl -s -u test:test https://localhost:15671/api/queues | jq > /opt/data/rabbitmq-queues.json

Universal Forwarder has following props.conf on the RabbitMQ server:

[rabbitmq:queues:json]
AUTO_KV_JSON = false
INDEXED_EXTRACTIONS = JSON
KV_MODE = none

 And the inputs.conf: 

[batch:///opt/data/rabbitmq-queues.json]
disabled = false
index = rabbitmq
sourcetype = rabbitmq:queues:json
move_policy = sinkhole
crcSalt = <SOURCE>
initCrcLength = 1048576

We run the btool on the Universal Forwarder to verify the settings are getting applied correctly:

sudo /opt/splunkforwarder/bin/splunk btool props list --debug "rabbitmq:queues:json"

/opt/splunkforwarder/etc/apps/RabbitMQ_Settings/local/props.conf         [rabbitmq:queues:json]
/opt/splunkforwarder/etc/system/default/props.conf                       ADD_EXTRA_TIME_FIELDS = True
/opt/splunkforwarder/etc/system/default/props.conf                       ANNOTATE_PUNCT = True
/opt/splunkforwarder/etc/apps/RabbitMQ_Settings/local/props.conf         AUTO_KV_JSON = false
/opt/splunkforwarder/etc/system/default/props.conf                       BREAK_ONLY_BEFORE =
/opt/splunkforwarder/etc/system/default/props.conf                       BREAK_ONLY_BEFORE_DATE = True
/opt/splunkforwarder/etc/system/default/props.conf                       CHARSET = UTF-8
/opt/splunkforwarder/etc/system/default/props.conf                       DATETIME_CONFIG = /etc/datetime.xml
/opt/splunkforwarder/etc/system/default/props.conf                       DEPTH_LIMIT = 1000
/opt/splunkforwarder/etc/system/default/props.conf                       DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false
/opt/splunkforwarder/etc/system/default/props.conf                       HEADER_MODE =
/opt/splunkforwarder/etc/apps/RabbitMQ_Settings/local/props.conf         INDEXED_EXTRACTIONS = JSON
/opt/splunkforwarder/etc/apps/RabbitMQ_Settings/local/props.conf         KV_MODE = none
/opt/splunkforwarder/etc/system/default/props.conf                       LB_CHUNK_BREAKER_TRUNCATE = 2000000
/opt/splunkforwarder/etc/system/default/props.conf                       LEARN_MODEL = true
/opt/splunkforwarder/etc/system/default/props.conf                       LEARN_SOURCETYPE = true
/opt/splunkforwarder/etc/system/default/props.conf                       LINE_BREAKER_LOOKBEHIND = 100
/opt/splunkforwarder/etc/system/default/props.conf                       MATCH_LIMIT = 100000
/opt/splunkforwarder/etc/system/default/props.conf                       MAX_DAYS_AGO = 2000
/opt/splunkforwarder/etc/system/default/props.conf                       MAX_DAYS_HENCE = 2
/opt/splunkforwarder/etc/system/default/props.conf                       MAX_DIFF_SECS_AGO = 3600
/opt/splunkforwarder/etc/system/default/props.conf                       MAX_DIFF_SECS_HENCE = 604800
/opt/splunkforwarder/etc/system/default/props.conf                       MAX_EVENTS = 256
/opt/splunkforwarder/etc/system/default/props.conf                       MAX_TIMESTAMP_LOOKAHEAD = 128
/opt/splunkforwarder/etc/system/default/props.conf                       MUST_BREAK_AFTER =
/opt/splunkforwarder/etc/system/default/props.conf                       MUST_NOT_BREAK_AFTER =
/opt/splunkforwarder/etc/system/default/props.conf                       MUST_NOT_BREAK_BEFORE =
/opt/splunkforwarder/etc/system/default/props.conf                       SEGMENTATION = indexing
/opt/splunkforwarder/etc/system/default/props.conf                       SEGMENTATION-all = full
/opt/splunkforwarder/etc/system/default/props.conf                       SEGMENTATION-inner = inner
/opt/splunkforwarder/etc/system/default/props.conf                       SEGMENTATION-outer = outer
/opt/splunkforwarder/etc/system/default/props.conf                       SEGMENTATION-raw = none
/opt/splunkforwarder/etc/system/default/props.conf                       SEGMENTATION-standard = standard
/opt/splunkforwarder/etc/system/default/props.conf                       SHOULD_LINEMERGE = True
/opt/splunkforwarder/etc/system/default/props.conf                       TRANSFORMS =
/opt/splunkforwarder/etc/system/default/props.conf                       TRUNCATE = 10000
/opt/splunkforwarder/etc/system/default/props.conf                       detect_trailing_nulls = false
/opt/splunkforwarder/etc/system/default/props.conf                       maxDist = 100
/opt/splunkforwarder/etc/system/default/props.conf                       priority =
/opt/splunkforwarder/etc/system/default/props.conf                       sourcetype =
/opt/splunkforwarder/etc/system/default/props.conf                       termFrequencyWeightedDist = false
/opt/splunkforwarder/etc/system/default/props.conf                       unarchive_cmd_start_mode = shell

 On the local Search Head we have the following props.conf:

[rabbitmq:queues:json]
KV_MODE = none
INDEXED_EXTRACTIONS = json
AUTO_KV_JSON = false

 We run the btool on the Search Head to verify the settings are getting applied correctly:

sudo -u splunk /opt/splunk/bin/splunk btool props list --debug "rabbitmq:queues:json"

/opt/splunk/etc/apps/RabbitMQ_Settings/local/props.conf           [rabbitmq:queues:json]
/opt/splunk/etc/system/default/props.conf                         ADD_EXTRA_TIME_FIELDS = True
/opt/splunk/etc/system/default/props.conf                         ANNOTATE_PUNCT = True
/opt/splunk/etc/apps/RabbitMQ_Settings/local/props.conf           AUTO_KV_JSON = false
/opt/splunk/etc/system/default/props.conf                         BREAK_ONLY_BEFORE =
/opt/splunk/etc/system/default/props.conf                         BREAK_ONLY_BEFORE_DATE = True
/opt/splunk/etc/system/default/props.conf                         CHARSET = UTF-8
/opt/splunk/etc/system/default/props.conf                         DATETIME_CONFIG = /etc/datetime.xml
/opt/splunk/etc/system/default/props.conf                         DEPTH_LIMIT = 1000
/opt/splunk/etc/system/default/props.conf                         DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false
/opt/splunk/etc/system/default/props.conf                         HEADER_MODE =
/opt/splunk/etc/apps/RabbitMQ_Settings/local/props.conf           INDEXED_EXTRACTIONS = json
/opt/splunk/etc/apps/RabbitMQ_Settings/local/props.conf           KV_MODE = none
/opt/splunk/etc/system/default/props.conf                         LB_CHUNK_BREAKER_TRUNCATE = 2000000
/opt/splunk/etc/system/default/props.conf                         LEARN_MODEL = true
/opt/splunk/etc/system/default/props.conf                         LEARN_SOURCETYPE = true
/opt/splunk/etc/system/default/props.conf                         LINE_BREAKER_LOOKBEHIND = 100
/opt/splunk/etc/system/default/props.conf                         MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/props.conf                         MAX_DAYS_AGO = 2000
/opt/splunk/etc/system/default/props.conf                         MAX_DAYS_HENCE = 2
/opt/splunk/etc/system/default/props.conf                         MAX_DIFF_SECS_AGO = 3600
/opt/splunk/etc/system/default/props.conf                         MAX_DIFF_SECS_HENCE = 604800
/opt/splunk/etc/system/default/props.conf                         MAX_EVENTS = 256
/opt/splunk/etc/system/default/props.conf                         MAX_TIMESTAMP_LOOKAHEAD = 128
/opt/splunk/etc/system/default/props.conf                         MUST_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf                         MUST_NOT_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf                         MUST_NOT_BREAK_BEFORE =
/opt/splunk/etc/system/default/props.conf                         SEGMENTATION = indexing
/opt/splunk/etc/system/default/props.conf                         SEGMENTATION-all = full
/opt/splunk/etc/system/default/props.conf                         SEGMENTATION-inner = inner
/opt/splunk/etc/system/default/props.conf                         SEGMENTATION-outer = outer
/opt/splunk/etc/system/default/props.conf                         SEGMENTATION-raw = none
/opt/splunk/etc/system/default/props.conf                         SEGMENTATION-standard = standard
/opt/splunk/etc/system/default/props.conf                         SHOULD_LINEMERGE = True
/opt/splunk/etc/system/default/props.conf                         TRANSFORMS =
/opt/splunk/etc/system/default/props.conf                         TRUNCATE = 10000
/opt/splunk/etc/system/default/props.conf                         detect_trailing_nulls = false
/opt/splunk/etc/system/default/props.conf                         maxDist = 100
/opt/splunk/etc/system/default/props.conf                         priority =
/opt/splunk/etc/system/default/props.conf                         sourcetype =
/opt/splunk/etc/system/default/props.conf                         termFrequencyWeightedDist = false
/opt/splunk/etc/system/default/props.conf                         unarchive_cmd_start_mode = shell

However, even with all that in place, we're still seeing duplicate values when using tables:

index="rabbitmq"
| table _time messages state