Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How can I get the ranger audits from solr (Ambari Infra) using a curl call, in the similar format as ranger, my cluster is kerberised ?

Solved Go to solution

How can I get the ranger audits from solr (Ambari Infra) using a curl call, in the similar format as ranger, my cluster is kerberised ?

New Contributor
 
1 ACCEPTED SOLUTION

Accepted Solutions

Re: How can I get the ranger audits from solr (Ambari Infra) using a curl call, in the similar format as ranger, my cluster is kerberised ?

Rising Star

@Pankaj Degave

You can use the below call to get only the required fields mentioned in Ranger UI.

curl -o ranger.query --negotiate -u : -X GET "http://<ambari-infra-solr-instance-hostname>:8886/solr/ranger_audits_shard1_replica1/select?q=*%3A*&fq=evtTime%3A%5B2017-06-11T10%3A44%3A00Z+TO+NOW%5D&fl=policy,evtTime,reqUser,repo,resource,resype,access,result,enforcer,cliIP,cluster,event_count&sort=evtTime+desc&start=0&rows=307600&wt=csv&version=2" 

Depending on what all logs you want to pull adjust the evtTime, the above query pulls all the audit records, change the evtTime to the timestamp of the first record in ranger.

1 REPLY 1

Re: How can I get the ranger audits from solr (Ambari Infra) using a curl call, in the similar format as ranger, my cluster is kerberised ?

Rising Star

@Pankaj Degave

You can use the below call to get only the required fields mentioned in Ranger UI.

curl -o ranger.query --negotiate -u : -X GET "http://<ambari-infra-solr-instance-hostname>:8886/solr/ranger_audits_shard1_replica1/select?q=*%3A*&fq=evtTime%3A%5B2017-06-11T10%3A44%3A00Z+TO+NOW%5D&fl=policy,evtTime,reqUser,repo,resource,resype,access,result,enforcer,cliIP,cluster,event_count&sort=evtTime+desc&start=0&rows=307600&wt=csv&version=2" 

Depending on what all logs you want to pull adjust the evtTime, the above query pulls all the audit records, change the evtTime to the timestamp of the first record in ranger.

Don't have an account?
Coming from Hortonworks? Activate your account here