我正在使用Amazon Athena获取上周发生的所有控制台登录,现在我能够获得所有控制台登录,无论数据如何。我需要修改以下查询,以便此查询始终获取上周发生的所有aws控制台登录。
WITH events AS (
SELECT
event.eventVersion,
event.eventID,
event.eventTime,
event.eventName,
event.eventType,
event.eventSource,
event.awsRegion,
event.sourceIPAddress,
event.userAgent,
event.userIdentity.type AS userType,
event.userIdentity.arn AS userArn,
event.userIdentity.principalId as userPrincipalId,
event.userIdentity.accountId as userAccountId,
event.userIdentity.userName as userName
FROM cloudtrail.events
CROSS JOIN UNNEST (Records) AS r (event)
)
SELECT userName,sourceIPAddress,eventName,eventTime FROM events WHERE eventName='ConsoleLogin';
Ť
答案 0 :(得分:5)
如果该列以文本形式出现,您可以将其转换为时间戳。我发现Amazon Athena可以将'2016-05-03 05:46:00'
转换为时间戳,因此请使用replace()
函数将其格式化为正确的格式:
select cast(replace(replace('2016-05-03T05:46:00Z', 'Z'), 'T', ' ') as timestamp)
因此,在WITH
部分中,将event.eventType
替换为:
cast(replace(replace(event.eventType, 'Z'), 'T', ' ') as timestamp) AS eventType,
然后,您可以对日期使用标准WHERE
语句,例如:
WHERE eventType > '2017-04-01'
或过去一周(基于Presto documentation):
WHERE eventType > current_date - interval '7' day
答案 1 :(得分:1)
例如,您可以使用from_iso8601_timestamp进行转换
SELECT *
FROM my_table
WHERE from_iso8601_timestamp(my_iso_field) > current_timestamp - interval '7' day
答案 2 :(得分:-3)
下面的查询已经过测试并为我工作。
select * table_name where date(column_name) >= (current_date - interval '7' day)