我对“交叉引用”两列感兴趣并返回两条信息:
列是saddr, daddr, sbytes, dbytes。
我想找到DISTINCT saddr并匹配它们DISTINCT daddr,然后SUM是sbytes和dbytes。
我还想简单地找到每个存在的记录saddr数daddr(假设daddrN 记录匹配 this saddr)。
对于那些可能对上下文感兴趣的人,我正在使用一个名为argus的包及其客户端rasqlinsert来构建网络流量数据库。
谢谢,
马特
[编辑]
样本数据:
SELECT saddr,daddr,sbytes,dbytes FROM argus.argus2012K17 limit 5;
'01:80:c2:00:00:0a', '20:fd:f1:74:36:96', 194, 0
'01:80:c2:00:00:0a', '20:fd:f1:74:36:b6', 194, 0
'192.168.100.11', '212.243.210.210', 120, 120
'192.168.100.11', '212.243.210.210', 422, 3667
'192.168.100.23', '99.248.99.240', 132, 0
期望的结果:
saddr, daddr, how many records found where they both exist, sum of all sbytes in these records, sum of all dbytes in these records
'01:80:c2:00:00:0a', '20:fd:f1:74:36:96', 2, 388, 0
'192.168.100.11', '212.243.210.210', 2, 542, 3787
'192.168.100.23', '99.248.99.240', 1, 132, 0
我认为我在围绕查询的“它们都存在的地方”方面遇到了最大的麻烦。
[编辑2]
我得出的结论是,我只需要花时间阅读并了解GROUP BY并执行嵌套查询即可获得我想要的信息。但是,如果有人有更多的输入,将不胜感激。
[编辑 3] 解决方案:
SELECT saddr, daddr, SUM(sbytes), SUM(dbytes), count(saddr) FROM argus.argus2012K17 GROUP BY saddr, daddr;
回报:
SELECT saddr, daddr, SUM(sbytes), SUM(dbytes), count(saddr) FROM argus.argus2012K17 where saddr='01:80:c2:00:00:0a' GROUP BY saddr, daddr;
'01:80:c2:00:00:0a', '20:fd:f1:74:36:96', 326114, 0, 1681
'01:80:c2:00:00:0a', '20:fd:f1:74:36:b6', 326114, 0, 1681
地狱是的。
SELECT stime, saddr, daddr, SUM(sbytes), SUM(dbytes), count(saddr) FROM argus.argus2012K17 WHERE stime BETWEEN 1337187600 AND 1337187700 GROUP BY saddr, daddr;