Agreed time stamp alone is not going to work. Currently I'm not using a message queue, it seems a bit much right now to add one to resolve this scenario. If one was in place already I would have pursued it though.
Is it possible to setup ES with an auto increment field on insert? If that were possible I could then query on it to find new records. If that is not possible then I need a way from logstash generate an auto increment and send to ES to later query on.
Thanks,
E