0

我的 ERP 系统有一个半生不熟的删除跟踪系统,它将以下信息插入一个名为 M2MDeleteLog 的表中。为简单起见,我省略了诸如 RecordId 之类的不必要的列。 

    LogDate           Workstation     LogInfo
    1/7/2010 11:01:51   TECH-M2MTEST    Deleting 1 Rows From SOMast
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOMAST from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Deleting 1 Rows From SOItem
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Deleting 1 Rows From SOItem
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOMAST from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Deleting 1 Rows From SOMast
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Deleting 1 Rows From SOItem
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Deleting 1 Rows From SOItem
    1/7/2010 11:00:29   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOMAST from form frmSo Parameters: NONE
    1/7/2010 11:00:29   TECH-M2MTEST    Deleting 1 Rows From SOMast
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Deleting 1 Rows From SOItem
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Deleting 1 Rows From SOItem

不幸的是,大部分相关信息都在 1 个文本字段中。第一步是从 LogInfo 字段中提取用户 (D.STEIN)、屏幕 (SOMAST) 和屏幕 (frmso)。那部分相对容易。

我想要做的是创建一个计划作业,它每 15 分钟左右运行一次,以查找可疑活动。我将可疑活动定义为每个用户每隔 15 分钟删除 3 次。

可是等等!还有更多!

在我提供的数据中,只有 3 个删除事件,每个间隔不到一分钟。我将定义一个新的删除事件至少在最后一个删除事件之后 20 秒。

如何评估 LogDate,回溯 15 分钟,计算每个用户的删除事件,以便在为某个用户记录超过 3 个时通知管理员?

4

1 回答 1

1

编辑:啊,拍摄,我刚刚注意到 SQL2K 标记。示例 1 应该仍然有效,但示例 2 不会。嗯,我们该如何解决这个问题......?

编辑:固定!

编辑:更好!

假设您已解析文本字段,此查询将为您提供在 15 分钟窗口内同一用户至少 2 次删除之前的任何删除:

SELECT UserName, LogDate
FROM #parsed_data a
WHERE EXISTS (
  SELECT * FROM #parsed_data b
  WHERE a.UserName = b.UserName
    AND b.LogDate < a.LogDate
    AND DATEDIFF(MINUTE,b.LogDate,a.LogDate) <= 15
  HAVING COUNT(*) >= 2
  )

(您应该在(用户名 LogDate)上有一个索引,顺便说一句)

至于只计算间隔 20 秒或更长时间的删除,这并不是那么简单。大概是这样的?

SQL2K,Quassnoi 基于

SELECT a.UserName, a.LogDate, b.LogDate, c.LogDate --, etc
FROM #parsed_data a
JOIN #parsed_data b 
  ON b.RecordId = (
    SELECT TOP 1 b0.RecordId FROM #parsed_data b0
    WHERE b0.UserName = a.UserName AND b0.LogDate < a.LogDate1
      AND DATEDIFF(MINUTE,b0.LogDate,a.LogDate) <= 15
      AND DATEDIFF(SECOND,b0.LogDate,a.LogDate) >= 20
    ORDER BY b0.LogDate DESC
    )
JOIN #parsed_data c
  ON c.RecordId = (
    SELECT TOP 1 c0.RecordId FROM #parsed_data c0
    WHERE c0.UserName = b.UserName AND c0.LogDate < b.LogDate
      AND DATEDIFF(MINUTE,c0.LogDate,a.LogDate) <= 15
      AND DATEDIFF(SECOND,c0.LogDate,b.LogDate) >= 20
    ORDER BY c0.LogDate DESC
    )

SQL2005/2008,交叉应用:

SELECT a.UserName
, a.LogDate AS LogDate0 -- current
, b.LogDate AS LogDate1 -- prior
, c.LogDate as LogDate2 -- prior prior
FROM #parsed_data a
CROSS APPLY (
  SELECT TOP 1 b.LogDate FROM #parsed_data b 
  WHERE b.UserName = a.UserName
    AND b.LogDate < a.LogDate
    AND DATEDIFF(MINUTE,b.LogDate,a.LogDate) <= 15
    AND DATEDIFF(SECOND,b.LogDate,a.LogDate) >= 20
  ORDER BY b.LogDate DESC
  ) b
CROSS APPLY (
  SELECT TOP 1 c.LogDate FROM #parsed_data c
  WHERE c.UserName = a.UserName
    AND c.LogDate < b.LogDate
    AND DATEDIFF(MINUTE,c.LogDate,a.LogDate) <= 15
    AND DATEDIFF(SECOND,c.LogDate,b.LogDate) >= 20
  ORDER BY c.LogDate DESC
  ) c

在 CROSS APPLY 中,我使用TOP 1 LogDate...ORDER BY LogDate DESC了而不是MAX(LogDate)这样,您可以将其他字段添加到结果集中,例如 RecordId、Workstation 等。

于 2010-01-07T22:27:28.870 回答