I had another quick look at your config, and suspect you might have a few issues with it. As far as I can see you are dropping the message field for events where
keepalive early on, but I do not see this explicitly caught in the section where document ids are created (although I do not know what the data looks like so it could have one of the other fields). If this goes to the default fingerprint id generation, all documents will get the same ID as the message field does not exist for these records.
An easy way to check this would be to look at the index statistics for deletes, as that can be an indication of updates being performed. You could also disable setting your own ID in the elasticsearch output and see if this makes a difference.