The Splunk/UniversalForwarder docker image is still hampered by this problem (in my testing anyway) so I'm happy to share details on how I managed to proceed.
You referenced this in your question: https://answers.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux.html
Well, the help I needed was right in there. Possibly the accepted answer has been beefed up a bit since you first read that page? Right in the first paragraph of the accepted answer you'll find the following about the matter, which was enough to get me past the problem:
Note: the CLI may ask you to authenticate – it’s asking for the LOCAL credentials, so if you haven’t changed the admin password on the forwarder, you should use admin/changeme
Here are the bash commands I used:
## replace ip.ad.re.ss:port in 2 places below with the ip address for your splunk
## enterprise server and port number for the receiver you configured under
## Settings / Forwarding and Receiving / Receive data / Add New
# docker pull splunk/universalforwarder:6.5.0-monitor
# docker run --name splunkuniversalforwarder \
--env SPLUNK_START_ARGS='--accept-license --answer-yes' \
--env SPLUNK_FORWARD_SERVER=ip.ad.re.ss:port \
--env SPLUNK_USER=root \
--volume /var/lib/docker/containers:/host/containers:ro \
--volume /var/log:/docker/log:ro \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
--volume volume_splunkuf_etc:/opt/splunk/etc \
--volume volume_splunkuf_var:/opt/splunk/var \
-d splunk/universalforwarder:6.5.0-monitor
## ...it starts, runs, does nothing useful - we need to tell it we are serious
# docker exec -it splunkuniversalforwarder entrypoint.sh splunk login
# docker exec splunkuniversalforwarder entrypoint.sh splunk add forward-server ip.ad.dr.es:port
Subsequent to running the above, the "Docker Overview" app within Splunk Enterprise started to show me some details about docker. Not every panel is getting data (most notably, still no logs), but some docker-related information is now flowing.
... View more