fluent.conf.rt6

<source>
  @type tail
  @id artifactory_service_tail
  path "#{ENV['ARTIFACTORY_HOME']}/logs/artifactory.log"
  pos_file "#{ENV['ARTIFACTORY_HOME']}/logs/artifactory.log.pos"
  tag jfrog.rt.artifactory.service
  <parse>
      @type multiline
      format_firstline /\d{4}-\d{1,2}-\d{1,2}/
      format1 /^(?<timestamp>[^ ]*) \[(?<service_type>[^\]]*)\] \[(?<log_level>[^\]]*)\] \[(?<trace_id>[^\]]*)\] \[(?<class_line_number>.*)\] \[(?<thread>.*)\] -(?<message>.*)$/
      time_key timestamp
      time_format %Y-%m-%dT%H:%M:%S.%LZ
  </parse>
</source>
<source>
  @type tail
  @id artifactory_request_tail
  path "#{ENV['ARTIFACTORY_HOME']}/logs/request.log"
  pos_file "#{ENV['ARTIFACTORY_HOME']}/logs/request.log.pos"
  tag jfrog.rt.artifactory.request
  <parse>
    @type regexp
    expression ^(?<timestamp>[^ ]*)\|(?<trace_id>[^\|]*)\|(?<remote_address>[^\|]*)\|(?<username>[^\|]*)\|(?<request_method>[^\|]*)\|(?<request_url>[^\|]*)\|(?<return_status>[^\|]*)\|(?<response_content_length>[^\|]*)\|(?<request_content_length>[^\|]*)\|(?<request_duration>[^\|]*)\|(?<request_user_agent>.+)$
    time_key timestamp
    time_format %Y-%m-%dT%H:%M:%S.%LZ
  </parse>
</source>
<filter jfrog.rt.artifactory.request>
  @type record_transformer
  enable_ruby true
  <record>
    repo ${record["request_url"].split('/')[3]}
    image ${record["request_url"].split('/')[5]}
  </record>
</filter>
<source>
  @type tail
  @id artifactory_access_tail
  path "#{ENV['ARTIFACTORY_HOME']}/logs/access.log"
  pos_file "#{ENV['ARTIFACTORY_HOME']}/logs/access.log.pos"
  tag jfrog.rt.artifactory.access
  <parse>
    @type regexp
    expression /^(?<timestamp>[^ ]*) \[(?<trace_id>[^\]]*)\] \[(?<action_response>[^\]]*)\] (?<repo_path>.*) for client : (?<username>.+)/(?<ip>.+).$/
    time_key timestamp
    time_format %Y-%m-%dT%H:%M:%S.%LZ
  </parse>
</source>
<filter jfrog.**>
  @type record_transformer
  <record>
    hostname "#{Socket.gethostname}"
    log_source ${tag}
  </record>
</filter>
<filter jfrog.rt.artifactory.request>
  @type record_transformer
  enable_ruby true
  <record>
    repo ${record["request_url"].include?("/api/docker") && !record["request_url"].include?("/api/docker/null") && !record["request_url"].include?("/api/docker/v2") ? (record["request_url"].split('/')[3]) : ("")}
    image ${record["request_url"].include?("/api/docker") && !record["request_url"].include?("/api/docker/null") && !record["request_url"].include?("/api/docker/v2")  ? (record["request_url"].split('/')[5]) : ("")}
  </record>
</filter>
<filter jfrog.rt.artifactory.access>
  @type record_transformer
  enable_ruby true
  <record>
    impacted_artifacts ${if record['repo_path'].length > 1; "default/" + record["repo_path"].split(':')[0] + "/" + record["repo_path"].split(':')[1].rstrip ; end;}
  </record>
</filter>

####################
# SPLUNK OUTPUT
####################
<match jfrog.**>
  @type splunk_hec
  host HEC_HOST
  port HEC_PORT
  token HEC_TOKEN
  index jfrog_splunk
  format json
  sourcetype_key log_source
  use_fluentd_time false
  # buffered output parameter
  flush_interval 10s
  # ssl parameter
  #use_ssl true
  #ca_file /path/to/ca.pem
</match>