Hey.

My antivirus generates 4 html reports every day in a folder, but I see a different number of events every time in Splunk (from 2 to 4). I think it's because reports may be same, so Splunk doesn't make new events. It does create dates for these reports every time.

inputs.conf on forwarder:

[monitor://C:\splrpt\*.html]
disabled = false
sourcetype = kavsrc
index = kav