2

我正在处理AWS Cloudtrail 日志分析的过程,我陷入了从一行中提取 JSON 的困境,

这是我的表定义。

CREATE EXTERNAL TABLE cloudtrail_logs (
eventversion STRING,
eventName STRING,
awsRegion STRING,
requestParameters STRING,
elements STRING  ,
additionalEventData STRING
)
ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'
STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION 's3://XXXXXX/CloudTrail'

如果我运行select elements from cl1 limit 1它会返回这个结果。

{"groupId":"sg-XXXX","ipPermissions":{"items":[{"ipProtocol":"tcp","fromPort":22,"toPort":22,"groups":{},"ipRanges":{"items":[{"cidrIp":"0.0.0.0/0"}]},"prefixListIds":{}}]}}

我需要将此结果显示为虚拟列,例如,

| groupId | ipProtocol | fromPort | toPort| ipRanges.items.cidrIp|
|---------|------------|--------- | ------|-----------------------------|
| -1      | 0          |          |       |                             |

我使用 AWS Athena,我尝试了横向视图,但 get_json_object 在 AWS 中不起作用。

它是一个外部表

4

1 回答 1

2 
select  json_extract_scalar(i.item,'$.ipProtocol')  as ipProtocol
       ,json_extract_scalar(i.item,'$.fromPort')    as fromPort
       ,json_extract_scalar(i.item,'$.toPort')      as toPort

from    cloudtrail_logs
        cross join unnest (cast(json_extract(elements,'$.ipPermissions.items') 
            as array(json))) as i (item)
;

 ipProtocol | fromPort | toPort
------------+----------+--------
 "tcp"      | 22       | 22
于 2017-03-18T21:38:29.667 回答