我有一个包含“用户会话”的表,另一个表示系统中存在违规。一个可能的违规行为是让用户连续登录超过12小时。
表格如下:
notification:
+--------------+-------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+--------------+-------------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| host_id | int(11) | NO | MUL | NULL | |
| alert_id | int(11) | NO | MUL | NULL | |
| event_start | datetime | NO | | NULL | |
| time_noticed | datetime | NO | | NULL | |
| info | varchar(45) | YES | | NULL | |
| seen | int(11) | NO | | NULL | |
+--------------+-------------+------+-----+---------+----------------+
login:
+----------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+----------+-------------+------+-----+---------+-------+
| username | varchar(45) | NO | | NULL | |
| host_id | int(11) | NO | MUL | NULL | |
| start | datetime | NO | | NULL | |
| end | datetime | NO | | NULL | |
| last | int(11) | NO | | NULL | |
+----------+-------------+------+-----+---------+-------+
我想要的结果表条件是:
login.last = 1,login.host_id = X,end> start + 12hours
并确保我之前没有报告此实例:
login.host_id!= notification.host_id,notification.alert_id!= Y,login.start!= notification.event_start,login.username!= notification.info
(换句话说,我不希望在同一主机上获得同一用户的另一个报告,同时发生相同的违规行为)
答案 0 :(得分:2)
SELECT DISTINCT username, start
FROM login
LEFT OUTER JOIN notification ON
(login.host_id = notification.host_id
AND login.start = notification.event_start
AND login.username = notification.info)
WHERE
end>DATE_ADD(start,INTERVAL 12 HOUR)
AND login.host_id=$host_id
AND last=1
AND login.id IS NULL
此查询应使用“不存在”类型的搜索(尝试EXPLAIN),这对查询性能有利。 也许值得将UNIQUE KEY放在通知'host_id,event_started,info'上并使用INSERT IGNORE