We recently moved some inputs from universal forwarders to a pair of heavy forwarders for pre-processing. Since then one sourcetype shows 2–3× the expected event count, license usage jumped, and dashboards double-count. How do I confirm it's true duplication, find the source, and stop it the right way — without slapping dedup on every search? ... View more