Fluentd parsing issues with example configuration

I've followed the examples on this site, specifically the one at https://github.com/jfrog/log-analytics-splunk/blob/master/helm/artifactory-ha-values.yaml, in order to get fluentd forwarding to Splunk. My setup is almost identical to that link, with two changes that I don't believe would have any impact here:

I want to be in control of the version of the fluent file rather than possibly getting a different file each time (i.e. a wget on https://raw.githubusercontent.com/jfrog/log-analytics-splunk/master/fluent.conf.rt) so I load the fluent.conf.rt as a volume via a ConfigMap rather than use a wget.
I'm not checking the HEC token into Git so instead I use an env variable from an existing Secret for the sed step.

Artifactory is running, fluentd is running, but my sidecar container is full of parsing errors:

2021-10-12 18:45:09 +0000 [warn]: #0 dump an error event: error_class=Fluent::Plugin::Parser::ParserError error="invalid time format: value = 2021-10-12T18:45:09Z, error_class = ArgumentError, error = invalid date or strptime format - `2021-10-12T18:45:09Z' `%Y-%m-%dT%H:%M:%S.%LZ'" location="/opt/bitnami/fluentd/gems/fluentd-1.13.2/lib/fluent/plugin/parser.rb:196:in `rescue in parse_time'" tag="jfrog.rt.artifactory.request" time=2021-10-12 18:45:09.001736865 +0000 record={"message"=>"2021-10-12T18:45:09Z|56c1a63d7e218fc3|127.0.0.1|jffe@000|POST|/api/auth/loginRelatedData|200|46|0|12|JFrog-Frontend/1.27.7"}

2021-10-12 16:22:37 +0000 [warn]: #0 dump an error event: error_class=Fluent::Plugin::Parser::ParserError error="pattern not matched with data '2021-10-12T16:22:37.004Z [jffe ] [\e[34M[INFO ]\e[39M]
 [                ] [                              ] [main                ] - frontend (jffe) service initialization completed in 38.62 seconds. Listening on port: port 8070'" location=nil tag="jfro
g.rt.frontend.service" time=2021-10-12 16:22:37.004951790 +0000 record={"message"=>"2021-10-12T16:22:37.004Z [jffe ] [\e[34M[INFO ]\e[39M] [                ] [                              ] [main
              ] - frontend (jffe) service initialization completed in 38.62 seconds. Listening on port: port 8070"}

2021-10-12 16:22:36 +0000 [warn]: #0 dump an error event: error_class=Fluent::Plugin::Parser::ParserError error="pattern not matched with data '2021-10-12T16:22:36.183Z [jffe ] [\e[34M[INFO ]\e[39M]
 [                ] [                              ] [main                ] - artifactory was pinged successfully'" location=nil tag="jfrog.rt.frontend.service" time=2021-10-12 16:22:36.183468419 +0
000 record={"message"=>"2021-10-12T16:22:36.183Z [jffe ] [\e[34M[INFO ]\e[39M] [                ] [                              ] [main                ] - artifactory was pinged successfully"}

I know the token is right, I've tested sending a single event from the container to test it and that gets sent OK. It is definitely a parsing issue, and it just makes me worry I may lose crucial logs.

Many thanks Michael

jfrog / log-analytics-splunk

Fluentd parsing issues with example configuration #35