Packetbeat doesn't use the "took" field, instead it looks at the timestamp of the request and the timestamp of the response. At the moment it actually doesn't look into the payload at all, so it doesn't know that you have Elasticsearch running, just that there's an application using HTTP.
If you have the feeling that the values are not realistic, it could be that the request is matched with the response from another request. We call this a correlation problem. Causes could be packet drops or parsing errors.
One way to check for correlation issues is to configure packetbeat to store both the full request and the response (
send_response: false and
include_body_for: ["application/json"]), then for the transactions that have unrealistic times, check if the two seem to match.