I took a good look at my mapping and I disabled the _all field. Full-text search is not useful for our Netflow use case. I also took a look at the shard request cache. I put "index.requests.cache.enable": true in the mapping, and I changed the node-cache size on each node to 3% of the heap. When I collected some more data, I will check whether this actually helps!

I understand your idea @chenjinyuan87, thanks!

I will post an update when I have new findings.

Thanks!
---
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB