Duplicate events are being captured by syslog (and therefore Splunk too). For example, nagios events are being written to the following two files on the central syslog server :-
user.log
syslog
Splunk ingests these log files into the default index called "main" with a sourcetype of "syslog".
How do I configure Splunk to discard duplicate events and ingest the nagios events into the "nagios" index with a sourcetype of "nagios"?