Thanks Fabien, that worked but not exactly sure why. I thought custom_id just added a tag to the document in ES.
On Sep 8, 2016, at 9:45 AM, Fabien Wernli <wernli@in2p3.fr> wrote:
On Thu, Sep 08, 2016 at 03:43:17PM +0200, Fabien Wernli wrote:
custom_id("syslog-ng")
^^^^^^^^^^^^^^^^^^^^^^ There's your problem: all documents will be assigned the literal "syslog-ng" as _id, so you're basically pushing all data overwriting the same document again and again :-)
so the fix is simply to drop that option altogether
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq