I don't know if I have understood your question very well. For more suggestion about my answer please let me now.
A Splunk Enterprise instance that receives data from one or more forwarders is called a receiver. The receiver is usually a Splunk Enterprise indexer, but can also be another forwarder, as described:
Set up receiving
Before enabling a Splunk Enterprise instance (either an indexer or a forwarder) as a receiver, you must install it. You can then enable receiving on the instance through Splunk Web, the CLI, or the inputs.conf configuration file. Set up receiving with Splunk Web Use Splunk Web to set up a receiver:
For more information about collecting the data see Splunk-6.1.1-Forwarding manual:
Hmm, CJOS wants to know how he can be sure that a forwarder configured to monitor the file
foo has read everything in the file and sent it to the indexer.....the indexer itself can do event hashing to handle this. But how can we be sure a forwarder did read everything and did not discard any events for what ever reason?
we must try to download splunkforwarder-6.2.1-196940-x64-release or splunkforwarder-6.2.1-196940-x86-release software to the following address: and
http://www.splunk.com/download/universalforwarder install it on your machine and then follow the link
http://www.macintom.com/wp/2012/05/30/splunk-partie-1-presentation-et-installation/ for setting.
please forgive my english
good luck for the future.