I don't know if I have understood your question very well. For more suggestion about my answer please let me now.
A Splunk Enterprise instance that receives data from one or more forwarders is called a receiver. The receiver is usually a Splunk Enterprise indexer, but can also be another forwarder, as described:
Set up receiving
Before enabling a Splunk Enterprise instance (either an indexer or a forwarder) as a receiver, you must install it. You can then enable receiving on the instance through Splunk Web, the CLI, or the inputs.conf configuration file. Set up receiving with Splunk Web Use Splunk Web to set up a receiver:
Log into Splunk Web as admin on the server that will be receiving data from a forwarder.
Click the Settings link at the top of the page.
Select Forwarding and receivingin the Data area.
Click Add new in the Receive data section.
Specify which TCP port you want the receiver to listen on (the listening port, also known as the receiving port). For example, if you enter "9997," the receiver will receive data on port 9997. By convention, receivers listen on port 9997, but you can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunk web or splunkd.
Click Save.You must restart the instance to complete the process.
Hmm, CJOS wants to know how he can be sure that a forwarder configured to monitor the file foo has read everything in the file and sent it to the indexer.....the indexer itself can do event hashing to handle this. But how can we be sure a forwarder did read everything and did not discard any events for what ever reason?