forked from certtools/stats-portal
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmake_agg_tables.sql
110 lines (103 loc) · 3.74 KB
/
make_agg_tables.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
drop table if exists "agg_ndim_day_all_tags" ;
create table "agg_ndim_day_all_tags" as (
select
date_trunc('day', "time.source" at time zone 'UTC') as "date",
count(*) as "count",
"classification.taxonomy",
"classification.type",
"classification.identifier",
"protocol.application",
"protocol.transport",
"malware.name",
"feed.code",
"feed.name",
"feed.provider",
"source.geolocation.cc",
"source.port",
"source.asn" ,
"source.network",
"source.domain_suffix"
from events
-- where
-- "time.source" >= '2018/1/1' and "time.source" <= '2018/12/31'
group by "date",
"classification.taxonomy",
"classification.type",
"classification.identifier",
"protocol.application",
"protocol.transport",
"malware.name",
"feed.code",
"feed.name",
"feed.provider",
"source.geolocation.cc",
"source.port",
"source.asn",
"source.network",
"source.domain_suffix"
order by "date" desc, "source.asn"
);
drop table if exists "agg_ndim_day_netobject_tags" ;
create table "agg_ndim_day_netobject_tags" as (
select
date_trunc('day', "time.source" at time zone 'UTC') as "date",
count(distinct "source.ip") as "count",
"classification.taxonomy",
"classification.type",
"classification.identifier",
"protocol.application",
"protocol.transport",
"malware.name",
"source.geolocation.cc",
"source.port",
"source.asn" ,
"source.network",
"source.domain_suffix"
from events
-- where
-- "time.source" >= '2018/1/1' and "time.source" <= '2018/12/31'
group by "date",
"classification.taxonomy",
"classification.type",
"classification.identifier",
"protocol.application",
"protocol.transport",
"malware.name",
"source.geolocation.cc",
"source.port",
"source.asn",
"source.network",
"source.domain_suffix"
order by "date" desc, "source.asn"
);
drop table if exists "agg_ndim_day_feed_tags" ;
create table "agg_ndim_day_feed_tags" as (
select
date_trunc('day', "time.source" at time zone 'UTC') as "date",
count(*) as "count",
"classification.taxonomy",
"classification.type",
"classification.identifier",
"protocol.application",
"protocol.transport",
"malware.name",
"feed.code",
"feed.name",
"feed.provider",
"source.geolocation.cc"
from events
-- where
-- "time.source" >= '2018/1/1' and "time.source" <= '2018/12/31'
group by "date",
"classification.taxonomy",
"classification.type",
"classification.identifier",
"protocol.application",
"protocol.transport",
"malware.name",
"feed.code",
"feed.name",
"feed.provider",
"source.geolocation.cc"
order by "date" desc
);