Finally nailed the culprit through backtracking connecting http clients IPs 
It turned out that somewhere someone had created a umbraco based monitoring service, running under an IIS, which target only node 212 as coordinating node with non-time-constrained searches every 10 sec thus searching every shards of specific indicies.
Had to kill it of course 
Still would be nice to know if it's possible to log searches with an appender + logger as above, since tcpdump doesn't reveal much with https connections.