In my use case, I need to forward logs from application servers to intermediate forwarders, then from the intermediate forwarder to Splunk Indexers. Can anybody help me in providing a sample configuration file for this?
See this (old post but you can refer to latest documentation for each step)
https://answers.splunk.com/answers/10429/is-there-an-example-configuration-available-for-an-intermed...
Basically
Setup Forwarding on Universal forwarder (installed on your application servers) - (should forward to your Intermediate forwarder) http://docs.splunk.com/Documentation/Splunk/6.4.3/Forwarding/EnableforwardingonaSplunkEnterpriseinst... Setup Receiving and Forwarding on Intermediate forwarder : (should forwarder to Indexers) http://docs.splunk.com/Documentation/Splunk/6.4.3/Forwarding/Configureanintermediateforwarder Setup Receiving on Indexer: http://docs.splunk.com/Documentation/Forwarder/6.4.3/Forwarder/Enableareceiver
