I still think you need to look at why you are ending up with over 1000 fields - here is an example post of syslog Input with Fortigate where the input needed to be changed to RAW since the Syslog input was creating new fields for each message because it was parsing improperly. Alternatively you can split incoming to different indexes so that you reduce the number of fields in the index.