mv unions 2

1. WITH table_traffic as (select attack_id, timestamp, protocol, destinationPort, sourcePort, srcIp, sum(packetPayloadFullLength * 8 * sampleRatio) as bps, sum(sampleRatio) as pps
2. from cloud_stat_dev.raw_traffic
3. where attack_id = 'fab4ea04-e1d7-4628-9c9b-3f5ebcb2da67'
4. group by attack_id, timestamp, protocol, destinationPort, sourcePort, srcIp
5. order by timestamp),
6. table_protocoled as (select attack_id, timestamp, protocol, sum(bps) as bps, sum(pps) as pps
7. from table_traffic
8. where attack_id = 'fab4ea04-e1d7-4628-9c9b-3f5ebcb2da67'
9. group by attack_id, timestamp, protocol
10. order by timestamp, protocol),
11. table_destination_tcp_ported as (select attack_id, timestamp, destinationPort, sum(bps) as bps, sum(pps) as pps
12. from table_traffic
13. where attack_id = 'fab4ea04-e1d7-4628-9c9b-3f5ebcb2da67' and protocol = 6
14. group by attack_id, timestamp, destinationPort
15. order by timestamp, destinationPort),
16. table_destination_udp_ported as (select attack_id, timestamp, destinationPort, sum(bps) as bps, sum(pps) as pps
17. from table_traffic
18. where attack_id = 'fab4ea04-e1d7-4628-9c9b-3f5ebcb2da67' and protocol = 17
19. group by attack_id, timestamp, destinationPort
20. order by timestamp, destinationPort),
21. table_source_tcp_ported as (select attack_id, timestamp, sourcePort, sum(bps) as bps, sum(pps) as pps
22. from table_traffic
23. where attack_id = 'fab4ea04-e1d7-4628-9c9b-3f5ebcb2da67' and protocol = 6
24. group by attack_id, timestamp, sourcePort
25. order by timestamp, sourcePort),
26. table_source_udp_ported as (select attack_id, timestamp, sourcePort, sum(bps) as bps, sum(pps) as pps
27. from table_traffic
28. where attack_id = 'fab4ea04-e1d7-4628-9c9b-3f5ebcb2da67' and protocol = 17
29. group by attack_id, timestamp, sourcePort
30. order by timestamp, sourcePort),
31. table_source_iped as (select attack_id, timestamp, srcIp, sum(bps) as bps, sum(pps) as pps
32. from table_traffic
33. where attack_id = 'fab4ea04-e1d7-4628-9c9b-3f5ebcb2da67'
34. group by attack_id, timestamp, srcIp
35. order by timestamp, srcIp)
36.  
37. select attack_id, toStartOfInterval(timestamp, interval 10 second) as timestamp, 'ext-in/proto/peak' as group, protocol as group_value,
38. max(bps) as bits, max(pps) as packets
39. from table_protocoled
40. group by attack_id, timestamp, protocol
41. order by timestamp, protocol
42.  
43. UNION ALL
44.  
45. select attack_id, toStartOfInterval(timestamp, interval 10 second) as timestamp, 'ext-in/proto' as group, protocol as group_value,
46. toUInt64(FLOOR(sum(bps) / 10)) as bits, toUInt64(FLOOR(sum(pps) / 10)) as packets
47. from table_protocoled
48. group by attack_id, timestamp, protocol
49. order by timestamp, protocol
50.  
51. UNION ALL
52.  
53. select attack_id, toStartOfInterval(timestamp, interval 10 second) as timestamp, 'ext-in/src-asn' as group, srcAsn as group_value,
54. toUInt64(FLOOR(sum(bps) / 10)) as bits, toUInt64(FLOOR(sum(pps) / 10)) as packets
55. from (
56. select attack_id, timestamp, srcAsn, sum(packetPayloadFullLength * 8 * sampleRatio) as bps, sum(sampleRatio) as pps
57. from cloud_stat_dev.raw_traffic
58. where attack_id = 'fab4ea04-e1d7-4628-9c9b-3f5ebcb2da67'
59. group by attack_id, timestamp, srcAsn
60. order by timestamp, srcAsn)
61. group by attack_id, timestamp, srcAsn
62. order by timestamp, srcAsn
63.  
64. UNION ALL
65.  
66. select attack_id, toStartOfInterval(timestamp, interval 10 second) as timestamp, 'ext-in/src-ip' as group, srcIp as group_value,
67. toUInt64(FLOOR(sum(bps) / 10)) as bits, toUInt64(FLOOR(sum(pps) / 10)) as packets
68. from table_source_iped
69. group by attack_id, timestamp, srcIp
70. order by timestamp, srcIp
71.  
72. UNION ALL
73.  
74. select attack_id, toStartOfInterval(timestamp, interval 10 second) as timestamp, 'ext-in/src-ip/peak' as group, srcIp as group_value,
75. max(bps) as bits, max(pps) as packets
76. from table_source_iped
77. group by attack_id, timestamp, srcIp
78. order by timestamp, srcIp
79.  
80. UNION ALL
81.  
82. select attack_id, toStartOfInterval(timestamp, interval 10 second) as timestamp, 'ext-in/tcp/src-port' as group, sourcePort as group_value,
83. toUInt64(FLOOR(sum(bps) / 10)) as bits, toUInt64(FLOOR(sum(pps) / 10)) as packets
84. from table_source_tcp_ported
85. group by attack_id, timestamp, sourcePort
86. order by timestamp, sourcePort
87.  
88. UNION ALL
89.  
90. select attack_id, toStartOfInterval(timestamp, interval 10 second) as timestamp, 'ext-in/udp/src-port' as group, sourcePort as group_value,
91. toUInt64(FLOOR(sum(bps) / 10)) as bits, toUInt64(FLOOR(sum(pps) / 10)) as packets
92. from table_source_udp_ported
93. group by attack_id, timestamp, sourcePort
94. order by timestamp, sourcePort
95.  
96. UNION ALL
97.  
98. select attack_id, toStartOfInterval(timestamp, interval 10 second) as timestamp, 'ext-in/udp/dst-port' as group, destinationPort as group_value,
99. toUInt64(FLOOR(sum(bps) / 10)) as bits, toUInt64(FLOOR(sum(pps) / 10)) as packets
100. from table_destination_udp_ported
101. group by attack_id, timestamp, destinationPort
102. order by timestamp, destinationPort
103.  
104. UNION ALL
105.  
106. select attack_id, toStartOfInterval(timestamp, interval 10 second) as timestamp, 'ext-in/tcp/dst-port' as group, destinationPort as group_value,
107. toUInt64(FLOOR(sum(bps) / 10)) as bits, toUInt64(FLOOR(sum(pps) / 10)) as packets
108. from table_destination_tcp_ported
109. group by attack_id, timestamp, destinationPort
110. order by timestamp, destinationPort
111.  
112. UNION ALL
113.  
114. select attack_id, toStartOfInterval(timestamp, interval 10 second) as timestamp, 'ext-int/total' as group, 0 as group_value,
115. toUInt64(FLOOR(sum(bps) / 10)) as bits, toUInt64(FLOOR(sum(pps) / 10)) as packets
116. from table_traffic
117. group by attack_id, timestamp
118. order by timestamp