I took a good look at my mapping and I disabled the _all field. Full-text search is not useful for our Netflow use case. I also took a look at the shard request cache. I put "index.requests.cache.enable": true in the mapping, and I changed the node-cache size on each node to 3% of the heap. When I collected some more data, I will check whether this actually helps!
I understand your idea @chenjinyuan87, thanks!
I will post an update when I have new findings.