尝试使用半成品系统审核删除

发布于 2024-08-16 19:01:14 字数 3544 浏览 4 评论 0原文

我的 ERP 系统有一个半成品的删除跟踪系统，它将以下信息插入到名为 M2MDeleteLog 的表中。为了简单起见，我省略了不必要的列，例如 RecordId。

    LogDate           Workstation     LogInfo
    1/7/2010 11:01:51   TECH-M2MTEST    Deleting 1 Rows From SOMast
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOMAST from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Deleting 1 Rows From SOItem
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Deleting 1 Rows From SOItem
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOMAST from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Deleting 1 Rows From SOMast
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Deleting 1 Rows From SOItem
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Deleting 1 Rows From SOItem
    1/7/2010 11:00:29   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOMAST from form frmSo Parameters: NONE
    1/7/2010 11:00:29   TECH-M2MTEST    Deleting 1 Rows From SOMast
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Deleting 1 Rows From SOItem
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Deleting 1 Rows From SOItem

不幸的是，大部分相关信息都在 1 个文本字段中。第一步是从 LogInfo 字段中提取用户 (D.STEIN)、屏幕 (SOMAST) 和屏幕 (frmso)。这部分相对容易。

我想要做的是创建一个计划作业，每 15 分钟左右运行一次，以查找可疑活动。我将可疑活动定义为每个用户在 15 分钟间隔内进行 3 次删除。

但是等等！还有更多！

在我提供的数据中，只有 3 个删除事件，每个事件间隔不到一分钟。我将定义一个新的删除事件在最后一个删除事件之后至少 20 秒。

如何评估 LogDate，返回 15 分钟，计算每个用户的删除事件，以便在某个用户记录了超过 3 个删除事件时通知管理员？

原文

My ERP system has a half baked deletion tracking system which inserts the following info into a table called M2MDeleteLog. I have left out unnecessary columns such as RecordId for simplicity.

    LogDate           Workstation     LogInfo
    1/7/2010 11:01:51   TECH-M2MTEST    Deleting 1 Rows From SOMast
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOMAST from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Deleting 1 Rows From SOItem
    1/7/2010 11:01:51   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:01:51   TECH-M2MTEST    Deleting 1 Rows From SOItem
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOMAST from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Deleting 1 Rows From SOMast
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Deleting 1 Rows From SOItem
    1/7/2010 11:01:00   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:01:00   TECH-M2MTEST    Deleting 1 Rows From SOItem
    1/7/2010 11:00:29   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOMAST from form frmSo Parameters: NONE
    1/7/2010 11:00:29   TECH-M2MTEST    Deleting 1 Rows From SOMast
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SODBOM from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SORELS from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Deleting 1 Rows From SOItem
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Unqualified M2MDELETE by D.STEIN in SOITEM from form frmSo Parameters: NONE
    1/7/2010 11:00:28   TECH-M2MTEST    Deleting 1 Rows From SOItem

Unfortunately, most of the pertinent information is in 1 text field. The first step is to pull the user (D.STEIN), screen (SOMAST), and screen (frmso) from the LogInfo field. That part is relatively easy.

What I want to do is to create a scheduled job, which runs every 15 minutes or so, to look for suspicious activity. I would define suspicious activity as being 3 deletions in a 15 minute interval per user.

But wait! There's More!

In the data I provided, there are only 3 deletion events, each spaced less than a minute apart. I would define a new deletion event being at least 20 seconds after the last one.

How can I evaluate the LogDate, going back 15 minutes, counting the deletion events per user, so I can notify the admin when more than 3 are recorded for a certain user?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

茶花眉 2024-08-23 19:01:14

编辑：啊，天哪，我刚刚注意到 SQL2K 标签。示例 1 应该仍然有效，但示例 2 则不行。嗯，我们该如何解决这个问题......？

编辑：已修复！

编辑：更好！

假设您已经解析了文本字段，此查询将为您提供在 15 分钟窗口内同一用户至少有 2 次删除之前的任何删除：（

SELECT UserName, LogDate
FROM #parsed_data a
WHERE EXISTS (
  SELECT * FROM #parsed_data b
  WHERE a.UserName = b.UserName
    AND b.LogDate < a.LogDate
    AND DATEDIFF(MINUTE,b.LogDate,a.LogDate) <= 15
  HAVING COUNT(*) >= 2
  )

您应该在 (UserName LogDate) 上有一个索引，顺便说一句

）只计算间隔 20 秒或更长时间的删除，这并不那么简单。也许是这样的？

SQL2K，基于 Quassnoi 的此：

SELECT a.UserName, a.LogDate, b.LogDate, c.LogDate --, etc
FROM #parsed_data a
JOIN #parsed_data b 
  ON b.RecordId = (
    SELECT TOP 1 b0.RecordId FROM #parsed_data b0
    WHERE b0.UserName = a.UserName AND b0.LogDate < a.LogDate1
      AND DATEDIFF(MINUTE,b0.LogDate,a.LogDate) <= 15
      AND DATEDIFF(SECOND,b0.LogDate,a.LogDate) >= 20
    ORDER BY b0.LogDate DESC
    )
JOIN #parsed_data c
  ON c.RecordId = (
    SELECT TOP 1 c0.RecordId FROM #parsed_data c0
    WHERE c0.UserName = b.UserName AND c0.LogDate < b.LogDate
      AND DATEDIFF(MINUTE,c0.LogDate,a.LogDate) <= 15
      AND DATEDIFF(SECOND,c0.LogDate,b.LogDate) >= 20
    ORDER BY c0.LogDate DESC
    )

SQL2005/2008，CROSS APPLY：

SELECT a.UserName
, a.LogDate AS LogDate0 -- current
, b.LogDate AS LogDate1 -- prior
, c.LogDate as LogDate2 -- prior prior
FROM #parsed_data a
CROSS APPLY (
  SELECT TOP 1 b.LogDate FROM #parsed_data b 
  WHERE b.UserName = a.UserName
    AND b.LogDate < a.LogDate
    AND DATEDIFF(MINUTE,b.LogDate,a.LogDate) <= 15
    AND DATEDIFF(SECOND,b.LogDate,a.LogDate) >= 20
  ORDER BY b.LogDate DESC
  ) b
CROSS APPLY (
  SELECT TOP 1 c.LogDate FROM #parsed_data c
  WHERE c.UserName = a.UserName
    AND c.LogDate < b.LogDate
    AND DATEDIFF(MINUTE,c.LogDate,a.LogDate) <= 15
    AND DATEDIFF(SECOND,c.LogDate,b.LogDate) >= 20
  ORDER BY c.LogDate DESC
  ) c

在CROSS APPLY中，我使用TOP 1 LogDate...ORDER BY LogDate DESC而不是MAX(LogDate)，这样您就可以添加其他字段到结果集，如 RecordId、Workstation 等。

EDIT: ah, shoot, I just noticed the SQL2K tag. Example 1 should still work, but example 2 will not. Hmm, how could we remedy this.....?

EDIT: fixed!

EDIT: even better!

Asuming you have parsed the text field, this query will give you any deletion that was preceded by at least 2 deletions by the same user in a 15 minute window:

SELECT UserName, LogDate
FROM #parsed_data a
WHERE EXISTS (
  SELECT * FROM #parsed_data b
  WHERE a.UserName = b.UserName
    AND b.LogDate < a.LogDate
    AND DATEDIFF(MINUTE,b.LogDate,a.LogDate) <= 15
  HAVING COUNT(*) >= 2
  )

(You should have an index on (UserName LogDate), btw)

As far as only counting deletes spaced apart by 20 seconds or more, that's not so simple. Something like this perhaps?

SQL2K, based on this by Quassnoi:

SELECT a.UserName, a.LogDate, b.LogDate, c.LogDate --, etc
FROM #parsed_data a
JOIN #parsed_data b 
  ON b.RecordId = (
    SELECT TOP 1 b0.RecordId FROM #parsed_data b0
    WHERE b0.UserName = a.UserName AND b0.LogDate < a.LogDate1
      AND DATEDIFF(MINUTE,b0.LogDate,a.LogDate) <= 15
      AND DATEDIFF(SECOND,b0.LogDate,a.LogDate) >= 20
    ORDER BY b0.LogDate DESC
    )
JOIN #parsed_data c
  ON c.RecordId = (
    SELECT TOP 1 c0.RecordId FROM #parsed_data c0
    WHERE c0.UserName = b.UserName AND c0.LogDate < b.LogDate
      AND DATEDIFF(MINUTE,c0.LogDate,a.LogDate) <= 15
      AND DATEDIFF(SECOND,c0.LogDate,b.LogDate) >= 20
    ORDER BY c0.LogDate DESC
    )

SQL2005/2008, CROSS APPLY:

SELECT a.UserName
, a.LogDate AS LogDate0 -- current
, b.LogDate AS LogDate1 -- prior
, c.LogDate as LogDate2 -- prior prior
FROM #parsed_data a
CROSS APPLY (
  SELECT TOP 1 b.LogDate FROM #parsed_data b 
  WHERE b.UserName = a.UserName
    AND b.LogDate < a.LogDate
    AND DATEDIFF(MINUTE,b.LogDate,a.LogDate) <= 15
    AND DATEDIFF(SECOND,b.LogDate,a.LogDate) >= 20
  ORDER BY b.LogDate DESC
  ) b
CROSS APPLY (
  SELECT TOP 1 c.LogDate FROM #parsed_data c
  WHERE c.UserName = a.UserName
    AND c.LogDate < b.LogDate
    AND DATEDIFF(MINUTE,c.LogDate,a.LogDate) <= 15
    AND DATEDIFF(SECOND,c.LogDate,b.LogDate) >= 20
  ORDER BY c.LogDate DESC
  ) c

In the CROSS APPLY, I used TOP 1 LogDate...ORDER BY LogDate DESC rather than MAX(LogDate) so you can add other fields to the result set, like RecordId, Workstation, etc.

回复收藏 0 原文

~没有更多了~