What is the issue?

Stash files are used by Splunk to serialise the events so that they can be indexed.

The source can be overridden in the collect command.

These are from two different reports - if you are interested, you should look at the settings for those reports to see the differences in how they are sent to the summary index.

As for the times, where the times are almost identical, this is likely to be due to a cron job, which potentially is from a unix-based system, whereas the sources with more different times look like they are from a Windows-based system, which doesn't usually have cron.

@ITWhisperer 

Both the Saved searches are running at the same time. In your view, Is this causing the issue ?

@ITWhisperer Is that possible to check who run the adhoc search of backfill of summary index from the _audit index ?

@ITWhisperer

What caused the creation of these "D:\Splunk\var\spool\splunk\99ec742c0c976c35_events.stash_new" files? Instead of spool files, that should be the name of the report.

Do stash-spool files get created when a saved search is used ad hoc or backfill? When there are no spool files being created by scheduled?

The stash files are usually created by the collect command.

Depending on your retention settings, you may be able to find out who ran the report from your _audit index.

@ITWhisperer

Manual runs of the search and to collect into summary index create those stash files. It is unrelated to the occurrence of duplicate events. The allocation of all sources is equal (25%) , as you can see below. Is that correct ?

These are consistent with the info_search_time graphic you shared earlier - is that what you are asking?

@ITWhisperer  I think this is the best suitable answer for my question as you posted earlier.

"it looks like the reports that were run on Feb 29th were done manually / ad hoc to back-fill the summary index for the earlier weeks before the schedule was set up and running correctly."