Not sure if below answer may help you
You can check the duplicated events along with their tim of indexing with the below query:
index=your index sourcetype=your sourcetype | eval dup=_raw | convert ctime(_time) as T1 | convert ctime(_indextime) as indextime | transaction dup mvlist=t maxspan=1s keepevicted=true | table dup,source,sourcetype,host,index,indextime
Process to delete the duplicated events:
Run the following command to store all duplicate events in a lookup table.
index=* sourcetype=wsa_accesslogs | eval id=_cd."|".index."|".splunk_server | transaction _raw maxspan=1s keepevicted=true mvlist=t | search
eventcount>1
| eval delete_id=mvindex(id, 1, -1) | stats c by delete_id | outputlookup delete_these.csv
Once search finishes completely by running the following command you can view the events stored in lookup table
| inputlookup delete_these.csv
Note: You need to wait till your search gets complete. You can use smart mode as well.
You can also check the newly created lookup table in the $Splunk_Home\etc\apps\app_name\lookups\ delete_these.csv
Run the following command to delete all events from source type which also exists into lookup table (in your case its delete_these.csv)
index=* sourcetype=wsa_accesslogs | eval delete_id=_cd."|".index."|".splunk_server | search [|inputlookup delete_these.csv | fields delete_id |
format "(" "(" "OR" ")" "OR" ")"] | delete
... View more