[22:26:30] <XioNoX>	 shdubsh: I think I already asked, but how can I export all logs from our central syslog about a specific host and time window?
[22:27:09] <XioNoX>	 the asw2-d2-eqiad disk logs rolled over the weekend, so I need to get them from the central syslog
[22:28:28] <shdubsh>	 XioNoX: I seem to recall this too.  herron mentioned something about extracting logs from Kafka directly, but reconstructing logs from ES requires a bit of code to do
[22:29:44] <herron>	 there are some docs/examples on the logstash wikitech article
[22:30:08] <XioNoX>	 thanks1
[22:30:10] <herron>	 on my mobile at the moment and don’t have the kink handy
[22:30:18] <herron>	 link*
[22:30:28] <XioNoX>	 also the logs are empty between 01:12 and ~04:00 utc
[22:30:46] <XioNoX>	 are they lost or is there still some backlog?
[22:31:03] <shdubsh>	 https://wikitech.wikimedia.org/wiki/Logstash#Extract_data_from_Logstash_with_Python
[22:31:26] <shdubsh>	 XioNoX: hmm, link me?
[22:31:55] <XioNoX>	 shdubsh: https://logstash.wikimedia.org/goto/afa878fef14f4ff4987af44385d14ca9 does that work?
[22:32:24] <XioNoX>	 or the spikes after 4am is the backlog?
[22:34:07] <shdubsh>	 it kinda looks like those spikes are the backlog
[22:35:18] <shdubsh>	 otherwise, if this pipeline is switch udp->logstash directly, they may have been lost in the service thrashing
[22:36:00] <XioNoX>	 makes sens
[22:36:47] <shdubsh>	 none of the timing coorelates with any of the work I was doing that might explain why the spike at 0400
[22:36:47] <XioNoX>	 thanks