本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 使用分割區投影在 Athena 中建立 CloudTrail 日誌的資料表
由於 CloudTrail 日誌具有您可以事先指定其分割區配置的已知結構,您可以使用 Athena 分割區投影功能來減少查詢執行時間並自動化分割區管理。分割區投影會在新增資料時自動新增分割區。因此您無需使用 `ALTER TABLE ADD PARTITION` 手動新增分割區。
以下 `CREATE TABLE` 陳述式範例會從指定日期到現在,對單一 AWS 區域的 CloudTrail 日誌自動使用分割區投影。在 `LOCATION` 和 `storage.location.template` 子句中,請以對應的相同值取代{{儲存貯體}}、{{account-id}} 和 {{aws-region}} 預留位置。對於 `projection.timestamp.range`,請用您要使用的開始日期取代 {{2020}}/{{01}}/{{01}}。成功執行查詢之後,您可以查詢資料表。您無須執行 `ALTER TABLE ADD PARTITION` 就能載入分割區。
```
CREATE EXTERNAL TABLE cloudtrail_logs_pp(
eventversion STRING,
useridentity STRUCT<
type: STRING,
principalid: STRING,
arn: STRING,
accountid: STRING,
invokedby: STRING,
accesskeyid: STRING,
username: STRING,
onbehalfof: STRUCT<
userid: STRING,
identitystorearn: STRING>,
sessioncontext: STRUCT<
attributes: STRUCT<
mfaauthenticated: STRING,
creationdate: STRING>,
sessionissuer: STRUCT<
type: STRING,
principalid: STRING,
arn: STRING,
accountid: STRING,
username: STRING>,
ec2roledelivery:string,
webidfederationdata: STRUCT<
federatedprovider: STRING,
attributes: map>
>
>,
eventtime STRING,
eventsource STRING,
eventname STRING,
awsregion STRING,
sourceipaddress STRING,
useragent STRING,
errorcode STRING,
errormessage STRING,
requestparameters STRING,
responseelements STRING,
additionaleventdata STRING,
requestid STRING,
eventid STRING,
readonly STRING,
resources ARRAY>,
eventtype STRING,
apiversion STRING,
recipientaccountid STRING,
serviceeventdetails STRING,
sharedeventid STRING,
vpcendpointid STRING,
vpcendpointaccountid STRING,
eventcategory STRING,
addendum STRUCT<
reason:STRING,
updatedfields:STRING,
originalrequestid:STRING,
originaleventid:STRING>,
sessioncredentialfromconsole STRING,
edgedevicedetails STRING,
tlsdetails STRUCT<
tlsversion:STRING,
ciphersuite:STRING,
clientprovidedhostheader:STRING>
)
PARTITIONED BY (
`timestamp` string)
ROW FORMAT SERDE 'org.apache.hive.hcatalog.data.JsonSerDe'
STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION
's3://amzn-s3-demo-bucket/AWSLogs/{{account-id}}/{{CloudTrail}}/{{aws-region}}'
TBLPROPERTIES (
'projection.enabled'='true',
'projection.timestamp.format'='yyyy/MM/dd',
'projection.timestamp.interval'='1',
'projection.timestamp.interval.unit'='DAYS',
'projection.timestamp.range'='{{2020}}/{{01}}/{{01}},NOW',
'projection.timestamp.type'='date',
'storage.location.template'='s3://amzn-s3-demo-bucket/AWSLogs/{{account-id}}/{{CloudTrail}}/{{aws-region}}/${timestamp}')
```
如需有關分割區投影的詳細資訊,請參閱[透過 Amazon Athena 使用分割區投影](partition-projection.md)。