|
|
|
|
@@ -36,21 +36,21 @@ object BaseClickhouseData {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
def getVertexFqdnDf: DataFrame = {
|
|
|
|
|
val where = "common_recv_time >= " + timeLimit._2 + " AND common_recv_time < " + timeLimit._1
|
|
|
|
|
val where = "recv_time >= " + timeLimit._2 + " AND recv_time < " + timeLimit._1
|
|
|
|
|
val sql =
|
|
|
|
|
s"""
|
|
|
|
|
|(SELECT
|
|
|
|
|
| FQDN,MAX( LAST_FOUND_TIME ) AS LAST_FOUND_TIME,MIN( FIRST_FOUND_TIME ) AS FIRST_FOUND_TIME,common_vsys_id AS VSYS_ID
|
|
|
|
|
| FQDN,MAX( LAST_FOUND_TIME ) AS LAST_FOUND_TIME,MIN( FIRST_FOUND_TIME ) AS FIRST_FOUND_TIME,vsys_id AS VSYS_ID
|
|
|
|
|
|FROM
|
|
|
|
|
| ((SELECT
|
|
|
|
|
| ssl_sni AS FQDN,MAX( common_recv_time ) AS LAST_FOUND_TIME,MIN( common_recv_time ) AS FIRST_FOUND_TIME,common_vsys_id AS VSYS_ID
|
|
|
|
|
| ssl_sni AS FQDN,MAX( recv_time ) AS LAST_FOUND_TIME,MIN( recv_time ) AS FIRST_FOUND_TIME,vsys_id AS VSYS_ID
|
|
|
|
|
| FROM ${ApplicationConfig.SPARK_READ_CLICKHOUSE_SESSION_TABLE}
|
|
|
|
|
| WHERE $where and common_schema_type = 'SSL' GROUP BY ssl_sni,common_vsys_id
|
|
|
|
|
| WHERE $where and decoded_as = 'SSL' GROUP BY ssl_sni,vsys_id
|
|
|
|
|
| )UNION ALL
|
|
|
|
|
| (SELECT
|
|
|
|
|
| http_host AS FQDN,MAX( common_recv_time ) AS LAST_FOUND_TIME,MIN( common_recv_time ) AS FIRST_FOUND_TIME,common_vsys_id AS VSYS_ID
|
|
|
|
|
| http_host AS FQDN,MAX( recv_time ) AS LAST_FOUND_TIME,MIN( recv_time ) AS FIRST_FOUND_TIME,vsys_id AS VSYS_ID
|
|
|
|
|
| FROM ${ApplicationConfig.SPARK_READ_CLICKHOUSE_SESSION_TABLE}
|
|
|
|
|
| WHERE $where and common_schema_type = 'HTTP' GROUP BY http_host,common_vsys_id))
|
|
|
|
|
| WHERE $where and decoded_as = 'HTTP' GROUP BY http_host,vsys_id))
|
|
|
|
|
|GROUP BY FQDN,VSYS_ID HAVING FQDN != '') as dbtable
|
|
|
|
|
""".stripMargin
|
|
|
|
|
LOG.warn(sql)
|
|
|
|
|
@@ -60,32 +60,32 @@ object BaseClickhouseData {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
def getVertexIpDf: DataFrame = {
|
|
|
|
|
val where = "common_recv_time >= " + timeLimit._2 + " AND common_recv_time < " + timeLimit._1
|
|
|
|
|
val where = "recv_time >= " + timeLimit._2 + " AND recv_time < " + timeLimit._1
|
|
|
|
|
val sql =
|
|
|
|
|
s"""
|
|
|
|
|
|(SELECT * FROM
|
|
|
|
|
|((SELECT common_client_ip AS IP,MIN(common_recv_time) AS FIRST_FOUND_TIME,
|
|
|
|
|
|MAX(common_recv_time) AS LAST_FOUND_TIME,
|
|
|
|
|
|((SELECT client_ip AS IP,MIN(recv_time) AS FIRST_FOUND_TIME,
|
|
|
|
|
|MAX(recv_time) AS LAST_FOUND_TIME,
|
|
|
|
|
|count(*) as SESSION_COUNT,
|
|
|
|
|
|SUM(common_c2s_byte_num+common_s2c_byte_num) as BYTES_SUM,
|
|
|
|
|
|groupUniqArray(2)(common_link_info_c2s)[2] as common_link_info,
|
|
|
|
|
|SUM(sent_bytes+received_bytes) as BYTES_SUM,
|
|
|
|
|
|'' as common_link_info,
|
|
|
|
|
|'client' as ip_type
|
|
|
|
|
|,common_vsys_id AS VSYS_ID
|
|
|
|
|
|,vsys_id AS VSYS_ID
|
|
|
|
|
|FROM ${ApplicationConfig.SPARK_READ_CLICKHOUSE_SESSION_TABLE}
|
|
|
|
|
|where $where
|
|
|
|
|
|group by common_client_ip,common_vsys_id)
|
|
|
|
|
|group by client_ip,vsys_id)
|
|
|
|
|
|UNION ALL
|
|
|
|
|
|(SELECT common_server_ip AS IP,
|
|
|
|
|
|MIN(common_recv_time) AS FIRST_FOUND_TIME,
|
|
|
|
|
|MAX(common_recv_time) AS LAST_FOUND_TIME,
|
|
|
|
|
|(SELECT server_ip AS IP,
|
|
|
|
|
|MIN(recv_time) AS FIRST_FOUND_TIME,
|
|
|
|
|
|MAX(recv_time) AS LAST_FOUND_TIME,
|
|
|
|
|
|count(*) as SESSION_COUNT,
|
|
|
|
|
|SUM(common_c2s_byte_num+common_s2c_byte_num) as BYTES_SUM,
|
|
|
|
|
|groupUniqArray(2)(common_link_info_s2c)[2] as common_link_info,
|
|
|
|
|
|SUM(sent_bytes+received_bytes) as BYTES_SUM,
|
|
|
|
|
|'' as common_link_info,
|
|
|
|
|
|'server' as ip_type
|
|
|
|
|
|,common_vsys_id AS VSYS_ID
|
|
|
|
|
|,vsys_id AS VSYS_ID
|
|
|
|
|
|FROM ${ApplicationConfig.SPARK_READ_CLICKHOUSE_SESSION_TABLE}
|
|
|
|
|
|where $where
|
|
|
|
|
|group by common_server_ip,common_vsys_id))) as dbtable
|
|
|
|
|
|group by server_ip,vsys_id))) as dbtable
|
|
|
|
|
""".stripMargin
|
|
|
|
|
LOG.warn(sql)
|
|
|
|
|
val frame = initClickhouseData(sql)
|
|
|
|
|
@@ -95,19 +95,19 @@ object BaseClickhouseData {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def getRelationFqdnLocateIpDf: DataFrame = {
|
|
|
|
|
val where = "common_recv_time >= " + timeLimit._2 + " AND common_recv_time < " + timeLimit._1
|
|
|
|
|
val where = "recv_time >= " + timeLimit._2 + " AND recv_time < " + timeLimit._1
|
|
|
|
|
val sql =
|
|
|
|
|
s"""
|
|
|
|
|
|(SELECT * FROM
|
|
|
|
|
|((SELECT ssl_sni AS FQDN,common_server_ip,MAX(common_recv_time) AS LAST_FOUND_TIME,MIN(common_recv_time) AS FIRST_FOUND_TIME,COUNT(*) AS COUNT_TOTAL,
|
|
|
|
|
|toString(groupUniqArray(${ApplicationConfig.DISTINCT_CLIENT_IP_NUM})(common_client_ip)) AS DIST_CIP_RECENT,'TLS' AS schema_type,common_vsys_id AS VSYS_ID
|
|
|
|
|
|((SELECT ssl_sni AS FQDN,server_ip,MAX(recv_time) AS LAST_FOUND_TIME,MIN(recv_time) AS FIRST_FOUND_TIME,COUNT(*) AS COUNT_TOTAL,
|
|
|
|
|
|toString(groupUniqArray(${ApplicationConfig.DISTINCT_CLIENT_IP_NUM})(client_ip)) AS DIST_CIP_RECENT,'TLS' AS schema_type,vsys_id AS VSYS_ID
|
|
|
|
|
|FROM ${ApplicationConfig.SPARK_READ_CLICKHOUSE_SESSION_TABLE}
|
|
|
|
|
|WHERE $where and common_schema_type = 'SSL' GROUP BY ssl_sni,common_server_ip,common_vsys_id)
|
|
|
|
|
|WHERE $where and decoded_as = 'SSL' GROUP BY ssl_sni,server_ip,vsys_id)
|
|
|
|
|
|UNION ALL
|
|
|
|
|
|(SELECT http_host AS FQDN,common_server_ip,MAX(common_recv_time) AS LAST_FOUND_TIME,MIN(common_recv_time) AS FIRST_FOUND_TIME,COUNT(*) AS COUNT_TOTAL,
|
|
|
|
|
|toString(groupUniqArray(${ApplicationConfig.DISTINCT_CLIENT_IP_NUM})(common_client_ip)) AS DIST_CIP_RECENT,'HTTP' AS schema_type,common_vsys_id AS VSYS_ID
|
|
|
|
|
|(SELECT http_host AS FQDN,server_ip,MAX(recv_time) AS LAST_FOUND_TIME,MIN(recv_time) AS FIRST_FOUND_TIME,COUNT(*) AS COUNT_TOTAL,
|
|
|
|
|
|toString(groupUniqArray(${ApplicationConfig.DISTINCT_CLIENT_IP_NUM})(client_ip)) AS DIST_CIP_RECENT,'HTTP' AS schema_type,vsys_id AS VSYS_ID
|
|
|
|
|
|FROM ${ApplicationConfig.SPARK_READ_CLICKHOUSE_SESSION_TABLE}
|
|
|
|
|
|WHERE $where and common_schema_type = 'HTTP' GROUP BY http_host,common_server_ip,common_vsys_id))
|
|
|
|
|
|WHERE $where and decoded_as = 'HTTP' GROUP BY http_host,server_ip,vsys_id))
|
|
|
|
|
|WHERE FQDN != '') as dbtable
|
|
|
|
|
""".stripMargin
|
|
|
|
|
LOG.warn(sql)
|
|
|
|
|
|
zhanghongqing