本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
使用分割區投影在 Athena 中建立 S3 日誌的 AWS WAF 資料表
由於 AWS WAF 日誌具有已知的結構,您可以預先指定其分割區配置,因此您可以使用 Athena 分割區投影功能來減少查詢執行時間並自動化分割區管理。分割區投影會在新增資料時自動新增分割區。因此您無需使用 ALTER TABLE ADD PARTITION 手動新增分割區。
下列範例CREATE TABLE陳述式會自動在指定日期到四個不同 AWS 區域的 AWS WAF 日誌上使用分割區投影。本範例中的 PARTITION BY 子句按區域和日期進行分割,但您可以根據自己的要求進行修改。視需要修改欄位,以符合您的日誌輸出。在 LOCATION和 storage.location.template子句中,將 amzn-s3-demo-bucket 和 AWS_ACCOUNT_NUMBER 預留位置取代為可識別 AWS WAF 日誌 Amazon S3 儲存貯體位置的值。對於 projection.day.range,請用您要使用的開始日期取代 2021/01/01。成功執行查詢之後,您可以查詢資料表。您無須執行 ALTER TABLE ADD PARTITION 就能載入分割區。
CREATE EXTERNAL TABLE `waf_logs_partition_projection`( `timestamp` bigint, `formatversion` int, `webaclid` string, `terminatingruleid` string, `terminatingruletype` string, `action` string, `terminatingrulematchdetails` array<struct<conditiontype:string,sensitivitylevel:string,location:string,matcheddata:array<string>>>, `httpsourcename` string, `httpsourceid` string, `rulegrouplist` array<struct<rulegroupid:string,terminatingrule:struct<ruleid:string,action:string,rulematchdetails:array<struct<conditiontype:string,sensitivitylevel:string,location:string,matcheddata:array<string>>>>,nonterminatingmatchingrules:array<struct<ruleid:string,action:string,overriddenaction:string,rulematchdetails:array<struct<conditiontype:string,sensitivitylevel:string,location:string,matcheddata:array<string>>>,challengeresponse:struct<responsecode:string,solvetimestamp:string>,captcharesponse:struct<responsecode:string,solvetimestamp:string>>>,excludedrules:string>>, `ratebasedrulelist` array<struct<ratebasedruleid:string,limitkey:string,maxrateallowed:int>>, `nonterminatingmatchingrules` array<struct<ruleid:string,action:string,rulematchdetails:array<struct<conditiontype:string,sensitivitylevel:string,location:string,matcheddata:array<string>>>,challengeresponse:struct<responsecode:string,solvetimestamp:string>,captcharesponse:struct<responsecode:string,solvetimestamp:string>>>, `requestheadersinserted` array<struct<name:string,value:string>>, `responsecodesent` string, `httprequest` struct<clientip:string,country:string,headers:array<struct<name:string,value:string>>,uri:string,args:string,httpversion:string,httpmethod:string,requestid:string,fragment:string,scheme:string,host:string>, `labels` array<struct<name:string>>, `captcharesponse` struct<responsecode:string,solvetimestamp:string,failurereason:string>, `challengeresponse` struct<responsecode:string,solvetimestamp:string,failurereason:string>, `ja3fingerprint` string, `ja4fingerprint` string, `oversizefields` string, `requestbodysize` int, `requestbodysizeinspectedbywaf` int) PARTITIONED BY ( `log_time` string) ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe' STORED AS INPUTFORMAT 'org.apache.hadoop.mapred.TextInputFormat' OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat' LOCATION 's3://amzn-s3-demo-bucket/AWSLogs/AWS_ACCOUNT_NUMBER/WAFLogs/cloudfront/testui/' TBLPROPERTIES ( 'projection.enabled'='true', 'projection.log_time.format'='yyyy/MM/dd/HH/mm', 'projection.log_time.interval'='1', 'projection.log_time.interval.unit'='minutes', 'projection.log_time.range'='2025/01/01/00/00,NOW', 'projection.log_time.type'='date', 'storage.location.template'='s3://amzn-s3-demo-bucket/AWSLogs/AWS_ACCOUNT_NUMBER/WAFLogs/cloudfront/testui/${log_time}')
注意
範例中 LOCATION子句中的路徑格式是標準格式,但可能會根據您實作的 AWS WAF 組態而有所不同。例如,下列範例 AWS WAF 日誌路徑適用於 CloudFront 分佈:
s3://amzn-s3-demo-bucket/AWSLogs/AWS_ACCOUNT_NUMBER/WAFLogs/cloudfront/cloudfronyt/2025/01/01/00/00/
如果您在建立或查詢 AWS WAF 日誌資料表時遇到問題,請確認日誌資料或聯絡人 支援
如需有關分割區投影的詳細資訊,請參閱搭配 Amazon Athena 使用分割區投影。
