Faced same issue, it was because we sent logs before installing Splunk Add-on For MS Windows on Indexer. Before this Add-on logs were tagged with source=WinEventLogs and after installing this Add-on the logs are tagged with source=xmlWinEventLogs. No duplicate events, just change in source tagging.
... View more