Sql 通过Athena和CloudTrail找到EC2实例的所有者_Sql_Json_Amazon Web Services_Broadcastreceiver_Amazon Athena

Sql 通过Athena和CloudTrail找到EC2实例的所有者

sql json amazon-web-services

Sql 通过Athena和CloudTrail找到EC2实例的所有者,sql,json,amazon-web-services,broadcastreceiver,amazon-athena,Sql,Json,Amazon Web Services,Broadcastreceiver,Amazon Athena,为了知道每个EC2实例的所有者，我查询了Athena存储在S3中的cloudtrail日志我在雅典娜有一张桌子，结构如下： CREATE EXTERNAL TABLE cloudtrail_logs ( eventversion STRING, useridentity STRUCT< type:STRING, principalid:STRING, arn:STRING,

为了知道每个

EC2实例的所有者

，我查询了

Athena

存储在S3中的

cloudtrail日志

我在雅典娜有一张桌子，结构如下：

CREATE EXTERNAL TABLE cloudtrail_logs (
eventversion STRING,
useridentity STRUCT<
               type:STRING,
               principalid:STRING,
               arn:STRING,
               accountid:STRING,
               invokedby:STRING,
               accesskeyid:STRING,
               userName:STRING,
sessioncontext:STRUCT<
attributes:STRUCT<
               mfaauthenticated:STRING,
               creationdate:STRING>,
sessionissuer:STRUCT<  
               type:STRING,
               principalId:STRING,
               arn:STRING, 
               accountId:STRING,
               userName:STRING>>>,
eventtime STRING,
eventsource STRING,
eventname STRING,
awsregion STRING,
sourceipaddress STRING,
useragent STRING,
errorcode STRING,
errormessage STRING,
requestparameters STRING,
responseelements STRING,
additionaleventdata STRING,
requestid STRING,
eventid STRING,
resources ARRAY<STRUCT<
               ARN:STRING,
               accountId:STRING,
               type:STRING>>,
eventtype STRING,
apiversion STRING,
readonly STRING,
recipientaccountid STRING,
serviceeventdetails STRING,
sharedeventid STRING,
vpcendpointid STRING
)
PARTITIONED BY (account string, region string, year string)
ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'
STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION 's3://<BUCKET>/AWSLogs/';

这是我尝试的查询：

SELECT DISTINCT eventsource, eventname, useridentity.userName, eventtime, json_extract(responseelements, '$.instanceId') as instance_id  
FROM cloudtrail_logs
WHERE account = 'xxxxxxxxxxxxxxx' 
AND eventname = 'RunInstances';

但这会将

instance\u id

作为空列提供。

如何从

resposneelement

正确地仅获取

实例\u id

？

我找到了正确的查询来查找ECS实例的所有者。那可能会有帮助

SELECT DISTINCT eventsource, eventname, useridentity.userName, eventtime, json_extract(responseelements, '$.instancesSet.items[0].instanceId') as instance_id  
FROM cloudtrail_logs
WHERE account = 'xxxxxxx' 
AND eventname = 'RunInstances'
AND responseelements LIKE '%i-3434ecb4c12%' 
;

@蒂托乔我查过了。。你能检查一下最新的问题吗？

SELECT DISTINCT eventsource, eventname, useridentity.userName, eventtime, json_extract(responseelements, '$.instancesSet.items[0].instanceId') as instance_id  
FROM cloudtrail_logs
WHERE account = 'xxxxxxx' 
AND eventname = 'RunInstances'
AND responseelements LIKE '%i-3434ecb4c12%' 
;