this is a late response, but as someone going through a similar issue and for anyone who may come across this for help in the future, the issue with the stanza provided is that you are using the same sourcetype that Splunk uses when logs are directly forwarded and indexed from Windows host to the Splunk server. For your case you would want to change it to:
[monitor://D:\Splunk\*.evtx]
disabled = 0
sourcetype = preprocess-winevt
index = wineventlog
... View more