Hi again, On Thu, Sep 08, 2016 at 12:16:22AM -0400, Scot Needy wrote:
destination d_es { elasticsearch2( index("syslog-ng_${YEAR}.${MONTH}.${DAY}") type("syslog-ng") # Description: The type of the index. For example, type("test") port("9300") server("127.0.0.1") concurrent-requests("5") flush_limit("1") client-mode("transport") skip-cluster-health-check("yes") cluster("meo") custom_id("syslog-ng") ^^^^^^^^^^^^^^^^^^^^^^ There's your problem: all documents will be assigned the literal "syslog-ng" as _id, so you're basically pushing all data overwriting the same document again and again :-)
sorry for not reading your config the first time