Hi there!
I´m implementing a IDS solution (suricata). I am sending logs via filebeat to a remote ELK server. What happens is that i´m not getting real-time searches. For instance, on the "Discovery" page an event that happened at some a given time (actual log timestamp) is being ingested 30 min (or more) later. That period of time tends to increase.
Note that the suricata logs are about 50Gb by the end of the day, so the rate is extremely high. Maybe this is occurring because of lack of system resources?