我的ERP系统有一个半烘焙删除跟踪系统,它将以下信息插入一个名为M2MDeleteLog的表中。为简单起见,我遗漏了不必要的列,例如RecordId。
LogDate Workstation LogInfo
1/7/2010 11:01:51 TECH-M2MTEST Deleting 1 Rows From SOMast
1/7/2010 11:01:51 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SOMAST from form frmSo Parameters: NONE
1/7/2010 11:01:51 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
1/7/2010 11:01:51 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
1/7/2010 11:01:51 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
1/7/2010 11:01:51 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
1/7/2010 11:01:51 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
1/7/2010 11:01:51 TECH-M2MTEST Deleting 1 Rows From SOItem
1/7/2010 11:01:51 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
1/7/2010 11:01:51 TECH-M2MTEST Deleting 1 Rows From SOItem
1/7/2010 11:01:00 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SOMAST from form frmSo Parameters: NONE
1/7/2010 11:01:00 TECH-M2MTEST Deleting 1 Rows From SOMast
1/7/2010 11:01:00 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
1/7/2010 11:01:00 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
1/7/2010 11:01:00 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
1/7/2010 11:01:00 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
1/7/2010 11:01:00 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
1/7/2010 11:01:00 TECH-M2MTEST Deleting 1 Rows From SOItem
1/7/2010 11:01:00 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
1/7/2010 11:01:00 TECH-M2MTEST Deleting 1 Rows From SOItem
1/7/2010 11:00:29 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SOMAST from form frmSo Parameters: NONE
1/7/2010 11:00:29 TECH-M2MTEST Deleting 1 Rows From SOMast
1/7/2010 11:00:28 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
1/7/2010 11:00:28 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
1/7/2010 11:00:28 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
1/7/2010 11:00:28 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
1/7/2010 11:00:28 TECH-M2MTEST Deleting 1 Rows From SOItem
1/7/2010 11:00:28 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
1/7/2010 11:00:28 TECH-M2MTEST Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
1/7/2010 11:00:28 TECH-M2MTEST Deleting 1 Rows From SOItem
不幸的是,大多数相关信息都在1个文本字段中。第一步是从LogInfo字段中提取用户(D.STEIN),屏幕(SOMAST)和屏幕(frmso)。那部分相对容易。
我想要做的是创建一个每15分钟左右运行一次的预定作业,以查找可疑活动。我将可疑活动定义为每个用户15分钟间隔内删除3次。
但是等等!还有更多!
在我提供的数据中,只有3个删除事件,每个事件间隔不到一分钟。我会在最后一个之后至少20秒定义一个新的删除事件。
我如何评估LogDate,返回15分钟,计算每个用户的删除事件,这样我可以在为某个用户录制超过3个时通知管理员?
答案 0 :(得分:1)
编辑:修复!
编辑:更好!假设您已经解析了文本字段,此查询将为您提供在15分钟窗口内由同一用户进行至少2次删除之前的任何删除:
SELECT UserName, LogDate
FROM #parsed_data a
WHERE EXISTS (
SELECT * FROM #parsed_data b
WHERE a.UserName = b.UserName
AND b.LogDate < a.LogDate
AND DATEDIFF(MINUTE,b.LogDate,a.LogDate) <= 15
HAVING COUNT(*) >= 2
)
(你应该有(UserName LogDate),btw)
的索引只计算间隔20秒或更长时间的删除,这不是那么简单。这样的事可能呢?
SQL2K,基于Quassnoi的this:
SELECT a.UserName, a.LogDate, b.LogDate, c.LogDate --, etc
FROM #parsed_data a
JOIN #parsed_data b
ON b.RecordId = (
SELECT TOP 1 b0.RecordId FROM #parsed_data b0
WHERE b0.UserName = a.UserName AND b0.LogDate < a.LogDate1
AND DATEDIFF(MINUTE,b0.LogDate,a.LogDate) <= 15
AND DATEDIFF(SECOND,b0.LogDate,a.LogDate) >= 20
ORDER BY b0.LogDate DESC
)
JOIN #parsed_data c
ON c.RecordId = (
SELECT TOP 1 c0.RecordId FROM #parsed_data c0
WHERE c0.UserName = b.UserName AND c0.LogDate < b.LogDate
AND DATEDIFF(MINUTE,c0.LogDate,a.LogDate) <= 15
AND DATEDIFF(SECOND,c0.LogDate,b.LogDate) >= 20
ORDER BY c0.LogDate DESC
)
SQL2005 / 2008,CROSS APPLY:
SELECT a.UserName
, a.LogDate AS LogDate0 -- current
, b.LogDate AS LogDate1 -- prior
, c.LogDate as LogDate2 -- prior prior
FROM #parsed_data a
CROSS APPLY (
SELECT TOP 1 b.LogDate FROM #parsed_data b
WHERE b.UserName = a.UserName
AND b.LogDate < a.LogDate
AND DATEDIFF(MINUTE,b.LogDate,a.LogDate) <= 15
AND DATEDIFF(SECOND,b.LogDate,a.LogDate) >= 20
ORDER BY b.LogDate DESC
) b
CROSS APPLY (
SELECT TOP 1 c.LogDate FROM #parsed_data c
WHERE c.UserName = a.UserName
AND c.LogDate < b.LogDate
AND DATEDIFF(MINUTE,c.LogDate,a.LogDate) <= 15
AND DATEDIFF(SECOND,c.LogDate,b.LogDate) >= 20
ORDER BY c.LogDate DESC
) c
在CROSS APPLY中,我使用了TOP 1 LogDate...ORDER BY LogDate DESC
而不是MAX(LogDate)
,因此您可以在结果集中添加其他字段,例如RecordId,Workstation等。