In Rancher 2.2, there apparently was a change to how Splunk logging is configured. If your Splunk endpoint starts with https://, then the SSL configuration opens up text boxes for Client key and certificate. A client cert is not required to use the Splunk HEC, so why does Rancher now require it? It was not a requirement in 2.1 and it was working fine without client certs.
It turns out that the problem was related to SSL inspection blocking the Catalog from fetching the logging containers. This was the solution to get logging to work.