I my setup, docker uses journald as a log driver. Fluentd reads logs from journal and pushes to Elasticsearch. Some of logs are even 500k chars long, so docker obviously splits them when they are bigger than 16kB. https://github.com/fluent-plugin-systemd/fluent-plugin-systemd and https://github.com/okushchenko/fluent-plugin-docker-journald-concat are used to read journal docker logs and concatenate them (if needed). The only problem is than the resulting concatenated logs include strange ' true' separator. It is situated in random places. I assume this is a part of metadata added by Docker and it denotes partial message. How to get rid of it or how to force fluentd to ignore in the resulting field value?
An example of concatenated log message:
{"host": 1, msg: \"test1\":\"9\",\"test2\":\"8800\",\ true"Status\":{\"StatusId\":\"1\",\"Status1\":\"Active\"}
Right now I am using a piece of embedded Ruby code to replace this string, but it does not seem to be the best approach.
