I just realized that the duplicate entries are tagged with different sources. One came from /var/log/syslog, and the other came from /var/log/syslog.2.gz I grepped though /var/log/syslogs*, and can only find one pair of events with a particular process id... which splunk search app shows as happening twice with the exact same timestamp. The duplication lasts for a 24 hour period. I was thinking that maybe log rotation created a condition to allow this, but the duplication continues for 24 hours.... far longer than it takes to rotate the logs. Anyway, still not resolved, but extra information. R ... View more

I have fixed the issue, at least on my system. The problem was the graphviz packages from Red Hat do not include gif rendering. I updated to the package from the graphviz repository and now everything works. I also found that Text:CSV wasn't installed, but installing that had no effect. ... View more