I had the same problem with "status-logs" of some compnents.
{"Name":"CompA", "Timestamp":"November 27th 2015, 10:08:03.443", "Status":"False"}
{"Name":"CompB", "Timestamp":"November 27th 2015, 10:08:05.673", "Status":"True"}
{"Name":"CompA", "Timestamp":"November 27th 2015, 10:08:08.245", "Status":"True"}
{"Name":"CompC", "Timestamp":"November 27th 2015, 10:08:11.862", "Status":"True"}
You see "CompA" was updated to True, so my False Status isn't important for me.
I solved that problem with de "Type" at Elasticsearch ...
I wanted the "Name" to become a Primarykey and tried this in my logstash config:
output { elasticsearch { index => "komponents" document_id => "%{Name}" }
So every time when a log with an existing name appears, Elasticsearch will make a new "Version" of this log and the old is no longer in your search/visualization.
Was that your problem?