Enabling Ranger audit's will show who made the sql call and what query was issued to HS2.
This is more "metadata" centric, the actually data transferred is not logged in any permanent fashion. That would be the responsibility of the client.
But the combination of the audit (who and what) along with possibly a "hdfs snapshot" can lead to a reproducible scenario.
View solution in original post