Gotcha. Ok, obviously red indices are a problem, but I'm going to put out of scope right now since we are just talking about naming of indices. Please note the following does not use ILM. That seems like a bit of a stretch to do now with things more critical. Once things quite down you can go back and get all the indices we make below to work under ILM. With that out of the way lets get going.
First thing I'd do is change your current config to:
Once that is done we are going to move on to give your cluster some breathing room.
I'm going to guess again, that there are probably 365 syslog indices from the year 2022 for example. To me the easiest thing to do is to just reindex all of those into a year level index. Something like this would probably do the trick:
Those jobs should run very quickly at a few megabytes a piece. You will probably never see them when you run:
You'll need to repeat that command for each day, but that could be written up ahead of time, and will only need to be done one time. You could probably run a years worth of commands through dev tools in kibana in under a half hour (ctrl-enter is your friend here). If you forget if you've reindexed an index or not, no worries you can just send it again. By default reindex will ignore duplicates. See reindex api documentation for more info.
Once syslog-2022 has all the same number of documents as the daily source indices you can delete the source indices. You wouldn't even have to do the entire year, you could do a month at a time. At this point you should be far away from the 1000 node limit. If there are multiple years worth of data you can reindex them in a similar fashion. Just change the dest index accordingly (ex: syslog-2021).
Finally you will have some 2023 indices that will need to be reindexed into syslog-2023, and can be done in a similar fashion.
Let me repeat, please use ILM after this clean up as it best fits your need. That is the long term solution. This way will give you some breathing room to make sure ILM is setup correctly.