我有一个包含IP流数据的表
SRC_IP | SRC_BW | DST_IP | DST_BW
对于我关心的大多数IP地址,它们将在两列中同时出现,但有些只会出现在SRC或DST中。我正在尝试获取唯一IP列表并总结其带宽(无论它是连接源还是目标)。
我目前有:
SELECT SRC_IP, SRC_BYTES, DST_BYTES, SRC_BYTES + IFNULL(DST_BYTES,0) as TOTAL_BYTES
FROM
(SELECT INET6_NTOA(bro_conn.CONN_ORIGH) as SRC_IP,
SUM(bro_conn.CONN_ORIGIPBYTES) AS SRC_BYTES
FROM bro_conn GROUP BY SRC_IP) src
LEFT JOIN
(SELECT INET6_NTOA(bro_conn.CONN_RESPH) as DST_IP,
SUM(bro_conn.CONN_RESPIPBYTES) AS DST_BYTES
FROM bro_conn GROUP BY DST_IP) dst
ON src.SRC_IP = dst.DST_IP
我的问题是,如果一个地址只显示为DST_IP,那么它就不会出现在列表中......想法?
答案 0 :(得分:0)
您可以将UNION ALL与条件聚合一起使用,并取消LEFT JOIN操作:
SELECT IP AS SRC_IP,
SUM(CASE WHEN Type = 'SRC' THEN BYTES ELSE 0 END) AS SRC_BYTES,
SUM(CASE WHEN Type = 'DST' THEN BYTES ELSE 0 END) AS DST_BYTES,
SUM(BYTES) AS TOTAL_BYTES
FROM (
SELECT INET6_NTOA(bro_conn.CONN_ORIGH) as IP,
SUM(bro_conn.CONN_ORIGIPBYTES) AS BYTES,
'SRC' AS Type
FROM bro_conn
GROUP BY SRC_IP
UNION ALL
SELECT INET6_NTOA(bro_conn.CONN_RESPH) as IP,
SUM(bro_conn.CONN_RESPIPBYTES) AS BYTES,
'DST' AS Type
FROM bro_conn GROUP BY DST_IP) AS t
GROUP BY IP