This occurs because you are using CLONE_SOURCETYPE, which generates a duplicate event, and you are not employing any system to prevent the duplicate from being indexed.
Sending an event to syslog doesn't prevent it from being indexed. That's why in the support case we ended up suggesting a short-term solution of inserting a forwarder to make the decision to not-forward via modification of _TCP_ROUTING.
For most users in this situation, simply asking for the original event to be sent to syslog will work fine without any CLONE_SOURCETYPE, because the syslog sendout will convert the original event to a single line format in the process of sending it out via that channel. However, your needs are less common because the accepting app doesn't like whatever format Splunk produces by default.
Another possible approach that I did not try, because it seemed to have drawbacks, was looking into the use of the _INDEX_AND_FORWARD_ROUTING key, while configuring the indexer to, by default, index no data that is forwarded (indexAndForward = false), running a transform over ALL data to set this key, and then removing the key only for your cloned events. It seemed unpalatable because it's fragile and confusing, and also because no one had the time to prove this approach viable in the response-time available.
... View more