How to get the records from Amazon Athena for past week only

aws

I am writing a query to get Amazon Athena records for the past one week only. Here is what I wrote so far:

WITH events AS (
  SELECT
    event.eventVersion,
    event.eventID,
    event.eventTime,
    event.eventName,
    event.eventType,
    event.eventSource,
    event.awsRegion,
    event.sourceIPAddress,
    event.userAgent,  
    event.userIdentity.type AS userType,
    event.userIdentity.arn AS userArn,
    event.userIdentity.principalId as userPrincipalId,
    event.userIdentity.accountId as userAccountId,
    event.userIdentity.userName as userName
  FROM cloudtrail.events
  CROSS JOIN UNNEST (Records) AS r (event)
)
SELECT userName,sourceIPAddress,eventName,eventTime FROM events WHERE eventName='ConsoleLogin';

But I am not sure how to write it to extract records for the past 1 week only.

Best Answer

@Philᵀᴹ's answer is almost there. I just used it on my query and found the fix. I would have commented, but don't have enough points, so here's the answer.

You have to use current_timestamp and then convert it to iso8601 format. Like so:

WITH events AS (
  SELECT
    event.eventVersion,
    event.eventID,
    event.eventTime,
    event.eventName,
    event.eventType,
    event.eventSource,
    event.awsRegion,
    event.sourceIPAddress,
    event.userAgent,  
    event.userIdentity.type AS userType,
    event.userIdentity.arn AS userArn,
    event.userIdentity.principalId as userPrincipalId,
    event.userIdentity.accountId as userAccountId,
    event.userIdentity.userName as userName
  FROM cloudtrail.events
  CROSS JOIN UNNEST (Records) AS r (event)
)
SELECT userName,sourceIPAddress,eventName,eventTime FROM events WHERE eventName='ConsoleLogin'
and eventTime > to_iso8601(current_timestamp - interval '7' day);

You can test the format you actually need by doing a test query like this:

SELECT to_iso8601(current_date - interval '7' day);

Returns: '2018-06-05'

SELECT to_iso8602(current_timestamp - interval '7' day);

Returns: '2018-06-05T19:25:21.331Z', which is the same format as event.eventTime, and that works.

Related Solutions

MySQL – How to Solve ‘The Table is Full’ Error 1114 with Amazon RDS

If you only have 40% of 15 GB = 6 GB free, you aren't going to be able to have two copies of a 7 GB table on the instance at the same time, whether you use ALTER TABLE (which usually creates an entire copy of the table and then replaces the existing table with it, as RolandoMySQLDBA explained) or create another table and insert the data.

It sounds like your instance doesn't have enough storage to do either.

You should be able to increase the available storage on a running instance from the management console by selecting the instance, choosing "Modify," changing the amount of storage allocated, and clicking "ok." See:

http://docs.amazonwebservices.com/AmazonRDS/latest/UserGuide/USER_ScalingStorage.html

~~I don't know how RDS handles this in the background, so I don't know if your database will become unavailable for a short time during the change.~~

This operation will warn you about potential performance degradation while the instance is being modified, but you should find that the instance remains available and accessible and that within a few minutes the operation is complete without any disruption of your instance's availability.

PostgreSQL – How to Get pg_archivecleanup on Amazon Linux 2014.03

With the help of this AWS forum thread, I realized that this line in /etc/yum.conf

exclude=postgresql*

excludes not only updates but installs. Once I commented that out (temporarily), I was able to use

sudo yum install postgresql-contrib

to install postgresql-contrib directly from the Amazon repo--no need for changing the repository or the operating system.

Best Answer

Related Solutions

MySQL – How to Solve ‘The Table is Full’ Error 1114 with Amazon RDS

PostgreSQL – How to Get pg_archivecleanup on Amazon Linux 2014.03

Related Question