When searching on your main indexer, can you add | dedup at the end of your search and see if the number of results drops to the level you see on the forwarder? Also, when manually reviewing the results on your indexer, do you actually see duplicate events? Splunk should not be sending dupes unless you have duplicate monitors (for example a monitor and a WMI monitor for the same event log source).
... View more