# Description
Hey, the research involves offloading a lot of the computation to the underlying SQL database. Although beneficial for the speed of the algorithm, this does mean that loading all the data inside SQL is an expensive and annoying task.

This document is designed to explain the data loading and ease the process.

## Software
For this research, we used a dockerized PostgreSQL server and a python script loading all parquet files.

## Requirements
Please install docker.

# Step I
If you haven't done so, 

In [None]:
%

ERROR: unknown command "echo" - maybe you meant "search"
Note: you may need to restart the kernel to use updated packages.


In [8]:
import pandas as pd
from sqlalchemy import create_engine

# Replace with your actual PostgreSQL connection info
engine = create_engine('postgresql+psycopg://lanl:lanl@localhost/lanl', echo=False)

query = """
WITH enriched AS (
    SELECT
        FLOOR(ts / 20) * 20 AS time_bin,
        n_src.node_id AS src_ip_id,
        n_dst.node_id AS dst_ip_id,
        hp_src.node_id AS src_hostport_id,
        hp_dst.node_id AS dst_hostport_id,
        z.*
    FROM "ufw22" z
    JOIN ufw22_nodemap n_src
      ON z.src_ip_zeek = n_src.ip
    JOIN ufw22_nodemap n_dst
      ON z.dest_ip_zeek = n_dst.ip
    JOIN ufw22_clientmap hp_src
      ON z.src_ip_zeek = hp_src.ip AND z.src_port_zeek = hp_src.port
    JOIN ufw22_clientmap hp_dst
      ON z.dest_ip_zeek = hp_dst.ip AND z.dest_port_zeek = hp_dst.port
    WHERE z.datetime IS NOT NULL 
    AND z.datetime >= TIMESTAMP '2021-12-17 00:00:00'
    AND z.datetime < TIMESTAMP '2021-12-17 10:00:00'
),
filtered AS (
    SELECT
        time_bin,
        src_ip_id,
        dst_ip_id,
        ts,
        COUNT(DISTINCT uid) AS flow_count
    FROM enriched
    WHERE src_ip_id <> dst_ip_id
    GROUP BY time_bin, src_ip_id, dst_ip_id, uid, ts
)
SELECT *
FROM filtered
ORDER BY time_bin;
"""

# Execute and read into DataFrame
df = pd.read_sql_query(query, engine)

# Display first few rows
print(df.head())

       time_bin  src_ip_id  dst_ip_id            ts  flow_count
0  1.639746e+09          8        298  1.639746e+09           1
1  1.639746e+09         15        298  1.639746e+09           1
2  1.639746e+09         16         14  1.639746e+09           1
3  1.639746e+09         16         14  1.639746e+09           1
4  1.639746e+09         17         14  1.639746e+09           1


In [9]:
df['time_bin'].max()

np.float64(1639756780.0)

In [None]:
from torch_geometric.data import Data

for ts in range(1639746040, 1639756780, 20):
    df_t = df[df['time_bin'] == ts]
    data = Data()
    data.
    print(df_t.head())


       time_bin  src_ip_id  dst_ip_id            ts  flow_count
0  1.639746e+09          8        298  1.639746e+09           1
1  1.639746e+09         15        298  1.639746e+09           1
2  1.639746e+09         16         14  1.639746e+09           1
3  1.639746e+09         16         14  1.639746e+09           1
4  1.639746e+09         17         14  1.639746e+09           1
        time_bin  src_ip_id  dst_ip_id            ts  flow_count
59  1.639746e+09          1        328  1.639746e+09           1
60  1.639746e+09         16         14  1.639746e+09           1
61  1.639746e+09         16         14  1.639746e+09           1
62  1.639746e+09         17         14  1.639746e+09           1
63  1.639746e+09         18         14  1.639746e+09           1
         time_bin  src_ip_id  dst_ip_id            ts  flow_count
106  1.639746e+09          8        311  1.639746e+09           1
107  1.639746e+09         16         14  1.639746e+09           1
108  1.639746e+09         16