From d28ed9d661b719f03f3ddb8f15aa56ecd8233a60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=8E=8B=E5=AE=BD?= <wangkuan@mesalab.cn>
Date: Mon, 25 Sep 2023 03:32:22 +0000
Subject: [PATCH] =?UTF-8?q?Update=20Clickhouse=5FCN=5F=E5=BB=BA=E8=A1=A8?=
 =?UTF-8?q?=E8=AF=AD=E5=8F=A5.sql=EF=BC=8C=E6=96=B0=E5=A2=9Ecn=5Fsecurity?=
 =?UTF-8?q?=5Fevent=E8=A1=A8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Clickhouse_CN_建表语句.sql                | 106 +++++++++++++++++-
 1 file changed, 105 insertions(+), 1 deletion(-)

diff --git a/Clickhouse最新全量建表语句/Clickhouse_CN_建表语句.sql b/Clickhouse最新全量建表语句/Clickhouse_CN_建表语句.sql
index 69331bb..8f16d7d 100644
--- a/Clickhouse最新全量建表语句/Clickhouse_CN_建表语句.sql
+++ b/Clickhouse最新全量建表语句/Clickhouse_CN_建表语句.sql
@@ -1694,4 +1694,108 @@ FROM cyber_narrator_galaxy.metric_ip_dynamic_attribute_local AS c1
 GROUP BY
     ip,
     l7_protocol,
-    port;
\ No newline at end of file
+    port;
+
+CREATE TABLE IF NOT EXISTS cyber_narrator_galaxy.cn_security_event_local ON CLUSTER ck_cluster
+(
+
+    status Int64,
+    is_builtin Int64,
+    rule_type String,
+    victim_ip String,
+    offender_ip String,
+    event_info String,
+    event_key String,
+    severity String,
+    event_type String,
+    duration_s Int64,
+    event_name String,
+    app String,
+    domain String,
+    event_id Int64,
+    rule_id Int64,
+    start_time Int64,
+    end_time Int64,
+    match_times Int64
+)
+ENGINE = MergeTree
+ORDER BY event_id
+TTL toDateTime(end_time) + toIntervalSecond(2592000),
+ toDateTime(end_time) + toIntervalSecond(1) GROUP BY event_id
+ SET 
+ status = anyLast(status),
+ is_builtin = anyLast(is_builtin),
+ rule_type = anyLast(rule_type),
+ victim_ip = anyLast(victim_ip),
+ offender_ip = anyLast(offender_ip),
+ event_info = anyLast(event_info),
+ event_key = anyLast(event_key),
+ severity = anyLast(severity),
+ event_type = anyLast(event_type),
+ duration_s = anyLast(duration_s),
+ event_name = anyLast(event_name),
+ app = anyLast(app),
+ domain = anyLast(domain), 
+ rule_id = anyLast(rule_id), 
+ start_time = anyLast(start_time),
+ end_time = max(end_time),
+ match_times = anyLast(match_times);
+
+
+CREATE TABLE IF NOT EXISTS cyber_narrator_galaxy.cn_security_event ON CLUSTER ck_cluster
+(
+
+    status Int64,
+    is_builtin Int64,
+    rule_type String,
+    victim_ip String,
+    offender_ip String,
+    event_info String,
+    event_key String,
+    severity String,
+    event_type String,
+    duration_s Int64,
+    event_name String,
+    app String,
+    domain String,
+    event_id Int64,
+    rule_id Int64,
+    start_time Int64,
+    end_time Int64,
+    match_times Int64
+)
+ENGINE = Distributed('ck_cluster',
+ 'cyber_narrator_galaxy',
+ 'cn_security_event_local',
+ rand());
+
+CREATE TABLE IF NOT EXISTS cyber_narrator_galaxy.cn_security_event  ON CLUSTER ck_query
+(
+
+    status Int64,
+    is_builtin Int64,
+    rule_type String,
+    victim_ip String,
+    offender_ip String,
+    event_info String,
+    event_key String,
+    severity String,
+    event_type String,
+    duration_s Int64,
+    event_name String,
+    app String,
+    domain String,
+    event_id Int64,
+    rule_id Int64,
+    start_time Int64,
+    end_time Int64,
+    match_times Int64
+)
+ENGINE = Distributed('ck_cluster',
+ 'cyber_narrator_galaxy',
+ 'cn_security_event_local',
+ rand());
+
+
+
+