Thanks for the welcome and for the answers 
Can you clarify what version of the stack you are running, it should help understand these a bit better.
I leave the versions of the infrastructure used to clarify the scenario:
-
Filebeat: 7.17.0
-
Logstash: 7.17.3
-
Metricbeat: 7.17.0
-
Elasticsearch deployment: 7.17.1
I think that the main issue is that there is not much information about those system indices, what they are used for and if they can be removed without any risk of breaking something.
The problem with these indices is that by not being able to determine their use and, if possible, their elimination, they grow uncontrollably and a corresponding lifetime cannot be established.
This causes the use of resources and shards to multiply and lead to performance errors.
I appreciate any possible help.
All the best,
David