I haven’t come up with a solution, but some question I have as I was thinking about it:
- Does any of your data ever contain the “…” sequence, or is it only in the case of a truncated message?
- Are the truncated messages always sequential, or could there be an unrelated message slipped between them?
- can you change the max length of the message on the application, or failing that, can you change the delimiter to something more unique that would not appear in a message?
- Have you investigates slookup? GrayLog Stream Lookup (SLookup) Pipeline Processor function
I was thinking some sort of intermediate application to handle these and ship them to Graylog, but maybe there’s a way that Graylog can coalesce two messages together. I’d be interested to hear the solution you come up with, I hope you’ll post it.