Currently running graylog 2.2.3 and elasticsearch 2.4.4 for several instances. Will soon be updating to graylog 2.3.1, but have not considered elasticsearch 5 yet because of how it handles directories for indices.
Once you upgrade to elasticsearch 5, it will rename all of the index directories with a new UUID, making it difficult to figure out which one is associated with a particular index set and when it was created. also when elasticsearch is restarted, the directories and files are touched so you cannot rely on ls to show the date of the directory. I believe you can stat the write.lock file underneath, but this is less than ideal.
On occasion we will want to move individual indices out of elasticsearch and the easiest way has always been to stop the service, move the directory, and start it back up. This works great in test environments when we don’t have to worry about the integrity of orphaned indices.
you now have to either rely on snapshots with curl commands or graylog’s archive feature.