Solved: How can I get the ranger audits from solr (Ambari ...

pdegave · ‎06-30-2017

krajguru · ‎06-30-2017

You can use the below call to get only the required fields mentioned in Ranger UI.

curl -o ranger.query --negotiate -u : -X GET "http://<ambari-infra-solr-instance-hostname>:8886/solr/ranger_audits_shard1_replica1/select?q=*%3A*&fq=evtTime%3A%5B2017-06-11T10%3A44%3A00Z+TO+NOW%5D&fl=policy,evtTime,reqUser,repo,resource,resype,access,result,enforcer,cliIP,cluster,event_count&sort=evtTime+desc&start=0&rows=307600&wt=csv&version=2"

Depending on what all logs you want to pull adjust the evtTime, the above query pulls all the audit records, change the evtTime to the timestamp of the first record in ranger.

krajguru · ‎06-30-2017

@Pankaj Degave

You can use the below call to get only the required fields mentioned in Ranger UI.

curl -o ranger.query --negotiate -u : -X GET "http://<ambari-infra-solr-instance-hostname>:8886/solr/ranger_audits_shard1_replica1/select?q=*%3A*&fq=evtTime%3A%5B2017-06-11T10%3A44%3A00Z+TO+NOW%5D&fl=policy,evtTime,reqUser,repo,resource,resype,access,result,enforcer,cliIP,cluster,event_count&sort=evtTime+desc&start=0&rows=307600&wt=csv&version=2"

Depending on what all logs you want to pull adjust the evtTime, the above query pulls all the audit records, change the evtTime to the timestamp of the first record in ranger.

How can I get the ranger audits from solr (Ambari Infra) using a curl call, in the similar format as ranger, my cluster is kerberised ?

How can I get the ranger audits from solr (Ambari Infra) using a curl call, in the similar format as ranger, my cluster is kerberised ?

Re: How can I get the ranger audits from solr (Ambari Infra) using a curl call, in the similar format as ranger, my cluster is kerberised ?

Re: How can I get the ranger audits from solr (Ambari Infra) using a curl call, in the similar format as ranger, my cluster is kerberised ?