Audit logs are emitted for each request to Palantir services. Sometimes, when a user makes a request to a service, the service may make addition requests to downstream services as part of fulfilling the request. This means that a single user-initiated action may result in multiple audit logs, one for each request in the request chain.
In many cases, I might want to view only the audit log for the user-initiated request, since this gives the most concise view of what action the user performed on which resources, and what the response was.
How can I filter to only the audit logs emitted for user-initiated requests?
User-initiated requests will generate audit logs with a non-empty origins field. This field contains the origin and any forwarded origins of a user-initiated request. If an audit log has an empty origins field, the associated request was not a user-initiated request.
allLogs.filter { log -> log.origins.size() > 0 }
Some subset of user-initiated requests will be made via an API gateway. This is a service that routes and handles requests to other Palantir services. In those cases, the audit log for the user-initiated request would have the category apiGatewayRequest and may not contain all the information about the request and response. To find audit logs that give information about what action the user performed on which resources, and what the response was, filter down to the audit logs generated for the requests made by the API gateway while fulfilling the user-initiated request. These will be the audit logs that have the same traceId as the original audit log and have a userAgent starting with the service in the original audit log.
To find more audit logs associated with an audit log with categoryapiGatewayRequest, traceId123 and servicemy-service: