What is the best option between Splunk logging driver for Docker or Universal forwarder running on the host or inside the container for sending logs to an indexer server? What are the limitations of Splunk logging driver for Docker.
Go into Splunk Slack and message @mattymo or @ninja. They are the experts there.
Check out this writeup for Splunking Docker containers:
https://www.tekstream.com/news/containerization-and-splunk-how-docker-and-splunk-work-together/
(From the first search result for 'docker universal forwarder': https://answers.splunk.com/answers/569238/does-splunk-provide-fully-supported-docker-univers.html )
From the links that Nate has provided, it looks like it is possible to get more information from the free app for Docker, as well as not having to do much to the docker environment. I'd go with that app.