SSDM indexes only certain fields of an event and displays only the indexed fields in the search results. To view all the fields of an event including the non-indexed fields, SSDM provides an API that helps you extract the entire event data directly from HBase. Similarly, you can use this API to extract raw data as well.
To extract raw data or event data, you can run the rest_client.sh script and specify the RecordID of raw data or EventID of the event respectively along with the time range during which the event occurred. The time range must be in yyMMddHHmmss format. To determine the RecordID of the raw data, you must first extract the event data and note down the RecordID (rv25 value) of the event.
To extract raw data or event data from HBase:
Log in to the SSDM server as a non-administrator user.
(Conditional) To extract event data, run the following command:
sudo –u novell /opt/novell/sentinel/bin/rest_client.sh <sentinel_user_name> <sentinel_password_file> https://<sentinel_IPaddress>:<sentinel_port>/SentinelRESTServices/objects/sor/event/<event_ID>/from_date/to_date
(Conditional) To extract raw data, perform the following:
(Conditional) If you do not have the RecordID of the raw data, complete Step 2 to determine the RecordID (rv25 value) of the event.
Run the following command:
sudo –u novell /opt/novell/sentinel/bin/rest_client.sh <sentinel_user_name> <sentinel_password_file> https://<sentinel_IPaddress>:<sentinel_port>/SentinelRESTServices/objects/sor/rawdata/<raw_data_record_ID>/from_date/to_date