snippetMinor
How to get the records from Amazon Athena for past week only
Viewed 0 times
theathenarecordspastgetamazonforweekhowfrom
Problem
I am writing a query to get Amazon Athena records for the past one week only. Here is what I wrote so far:
But I am not sure how to write it to extract records for the past 1 week only.
WITH events AS (
SELECT
event.eventVersion,
event.eventID,
event.eventTime,
event.eventName,
event.eventType,
event.eventSource,
event.awsRegion,
event.sourceIPAddress,
event.userAgent,
event.userIdentity.type AS userType,
event.userIdentity.arn AS userArn,
event.userIdentity.principalId as userPrincipalId,
event.userIdentity.accountId as userAccountId,
event.userIdentity.userName as userName
FROM cloudtrail.events
CROSS JOIN UNNEST (Records) AS r (event)
)
SELECT userName,sourceIPAddress,eventName,eventTime FROM events WHERE eventName='ConsoleLogin';But I am not sure how to write it to extract records for the past 1 week only.
Solution
@Philᵀᴹ's answer is almost there. I just used it on my query and found the fix. I would have commented, but don't have enough points, so here's the answer.
You have to use
You can test the format you actually need by doing a test query like this:
Returns: '2018-06-05'
Returns: '2018-06-05T19:25:21.331Z', which is the same format as event.eventTime, and that works.
You have to use
current_timestamp and then convert it to iso8601 format. Like so:WITH events AS (
SELECT
event.eventVersion,
event.eventID,
event.eventTime,
event.eventName,
event.eventType,
event.eventSource,
event.awsRegion,
event.sourceIPAddress,
event.userAgent,
event.userIdentity.type AS userType,
event.userIdentity.arn AS userArn,
event.userIdentity.principalId as userPrincipalId,
event.userIdentity.accountId as userAccountId,
event.userIdentity.userName as userName
FROM cloudtrail.events
CROSS JOIN UNNEST (Records) AS r (event)
)
SELECT userName,sourceIPAddress,eventName,eventTime FROM events WHERE eventName='ConsoleLogin'
and eventTime > to_iso8601(current_timestamp - interval '7' day);You can test the format you actually need by doing a test query like this:
SELECT to_iso8601(current_date - interval '7' day);Returns: '2018-06-05'
SELECT to_iso8602(current_timestamp - interval '7' day);Returns: '2018-06-05T19:25:21.331Z', which is the same format as event.eventTime, and that works.
Code Snippets
WITH events AS (
SELECT
event.eventVersion,
event.eventID,
event.eventTime,
event.eventName,
event.eventType,
event.eventSource,
event.awsRegion,
event.sourceIPAddress,
event.userAgent,
event.userIdentity.type AS userType,
event.userIdentity.arn AS userArn,
event.userIdentity.principalId as userPrincipalId,
event.userIdentity.accountId as userAccountId,
event.userIdentity.userName as userName
FROM cloudtrail.events
CROSS JOIN UNNEST (Records) AS r (event)
)
SELECT userName,sourceIPAddress,eventName,eventTime FROM events WHERE eventName='ConsoleLogin'
and eventTime > to_iso8601(current_timestamp - interval '7' day);SELECT to_iso8601(current_date - interval '7' day);SELECT to_iso8602(current_timestamp - interval '7' day);Context
StackExchange Database Administrators Q#171614, answer score: 9
Revisions (0)
No revisions yet.