ranger_audits Solr collection analysis

The following commands are useful when analyzing the ranger_audit collections to see which user and which service are contributing to the high number of documents.

To see at the user level audit information:-

http://<Solr_hostname>:8886/solr/ranger_audits/select?q=reqUser%3A%5B*+TO+*%5D&wt=json&indent=true&facet=true&facet.field=reqUser&group=true

This command uses the solr group & facet functions to get this aggregated data.

Output:-

{
  "responseHeader":{
    "status":0,
    "QTime":726,
    "params":{
      "q":"reqUser:[* TO *]",
      "facet.field":"reqUser",
      "indent":"true",
      "wt":"json",
      "facet":"true",
      "group":"true"}},
  "grouped":{},
  "facet_counts":{
    "facet_queries":{},
    "facet_fields":{
      "reqUser":[
        "dr.who",37748142,
        "yarn",20857,
        "hbase",7985,
        "mapred",4247,
        "ambari-qa",2112,
        "hive",2112,
        "infra-solr",1]},
    "facet_dates":{},
    "facet_ranges":{},
    "facet_intervals":{},
    "facet_heatmaps":{}}}

To see the audits records by service(hdfs, yarn, hbase, hive...):-

http://<Solr_hostname>:8886/solr/ranger_audits/select?q=repo%3A%5B*+TO+*%5D&wt=json&indent=true&facet=true&facet.field=repo&group=true

Output:-

{
  "responseHeader":{
    "status":0,
    "QTime":750,
    "params":{
      "q":"repo:[* TO *]",
      "facet.field":"repo",
      "indent":"true",
      "wt":"json",
      "facet":"true",
      "group":"true"}},
  "grouped":{},
  "facet_counts":{
    "facet_queries":{},
    "facet_fields":{
      "repo":[
        "c149_yarn",37748142,
        "c149_hadoop",36855,
        "c149_hbase",306]},
    "facet_dates":{},
    "facet_ranges":{},
    "facet_intervals":{},
    "facet_heatmaps":{}}}

This gives us an opportunity to further look into those audits to tune.  This is very helpful when we have more documents getting generated in solr collection.