Another reason for missing update, as pointed by @przemekwitek here is the following : when the document is ingested into source index, its timestamp is "old", i.e.: older than 60s (the configured delay) than the actual server timestamp.
Yet that can be fixed by either :
- using @timestamp field in the
sync.timeproperty, as you did originally and with a lower frequency setting, - or, @timestamp is not the ingested time, by setting up an ingest pipeline on the source index that will populate a new
event.ingestedfield for every source document and then to useevent.ingestedfield in thesync.timesection of the transform config.