# Mantel Log Processing Task

In [1]:
import re
import pandas as pd

## Setting all the different regex patterns to match fields with 

In [2]:
ip_pattern = re.compile(r"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}")
timestamp_pattern = re.compile(r"\[(.+?)\]")

# Couldn't get the regex to work for matching this pattern. Went with string splitting instead, but leaving this here for 
# feedback
url_pattern =re.compile(r'(\bGET\b|\bPOST\b|\bPUT\b) \/[a-zA-Z]+-[a-zA-Z]+\/ (\bHTTP\b|\bHTTPS\b)\/[0-9].[0-9]')

In [3]:
f = open('../data/programming-task-example-data.log')
lines = f.readlines()

# Create fields for all data being extracted

ip_addresses = []
timestamps = []
urls = []
text_field = []
request_type = []

# For testing purposes only
line1 = lines[0]

for line in lines:
    ip_addresses.append(re.match(ip_pattern, line).group(0))
    timestamps.append(re.search(timestamp_pattern, line).group(0))
    
    text_field.append(line.split('"')[-2])
    
    # I couldn't create a regex expression to isolate the request from the URL, so hardcoding it here
    
    # Sample log file only had GET requests, but not sure if this is tested on another input    
    if 'GET' in line.split('"')[1]:
        request_type.append('GET')
        temp = line.split('"')[1][4:]
        urls.append(temp[:-9])
    elif 'POST' in line.split('"')[1]:
        request_type.append('POST')
        temp = line.split('"')[1][5:]
        urls.append(temp[:-9])
    elif 'PUT' in line.split('"')[1]:
        request_type.append('PUT')
        temp = line.split('"')[1][4:]
        urls.append(temp[:-9])
    
f.close()

In [4]:
# text_field testing -

display(line1.split('"')[-1])
print(line1.split('"')[-2])

'\n'

Mozilla/5.0 (X11; U; Linux x86_64; fr-FR) AppleWebKit/534.7 (KHTML, like Gecko) Epiphany/2.30.6 Safari/534.7


In [5]:
# request_type testing - 

print(line1.split('"')[1][4:])
temp = line1.split('"')[1][4:]
print(temp[:-9])

/intranet-analytics/ HTTP/1.1
/intranet-analytics/


## Creating a dataframe from the data extracted 

In [6]:
df = pd.DataFrame()
df['Timestamp'] = timestamps
df['Request Type'] = request_type
df['URLs'] = urls
df['IP Addresses'] = ip_addresses
df['Browser Information'] = text_field

In [7]:
df

Unnamed: 0,Timestamp,Request Type,URLs,IP Addresses,Browser Information
0,[10/Jul/2018:22:21:28 +0200],GET,/intranet-analytics/,177.71.128.21,Mozilla/5.0 (X11; U; Linux x86_64; fr-FR) Appl...
1,[09/Jul/2018:10:11:30 +0200],GET,http://example.net/faq/,168.41.191.40,Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; H...
2,[11/Jul/2018:17:41:30 +0200],GET,/this/page/does/not/exist/,168.41.191.41,Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; H...
3,[09/Jul/2018:10:10:38 +0200],GET,http://example.net/blog/category/meta/,168.41.191.40,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7)...
4,[10/Jul/2018:22:22:08 +0200],GET,/blog/2018/08/survey-your-opinion-matters/,177.71.128.21,Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKi...
5,[09/Jul/2018:23:00:42 +0200],GET,/docs/manage-users/,168.41.191.9,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0)...
6,[09/Jul/2018:10:11:56 +0200],GET,/blog/category/community/,168.41.191.40,Mozilla/5.0 (X11; U; Linux x86_64; ca-ad) Appl...
7,[10/Jul/2018:22:01:17 +0200],GET,/faq/,168.41.191.34,Mozilla/5.0 (X11; U; Linux x86_64; fr-FR) Appl...
8,[10/Jul/2018:22:21:03 +0200],GET,/docs/manage-websites/,177.71.128.21,Mozilla/5.0 (compatible; MSIE 10.6; Windows NT...
9,[11/Jul/2018:15:49:46 +0200],GET,/faq/how-to-install/,50.112.00.28,Mozilla/5.0 (X11; U; Linux x86_64; ca-ad) Appl...


# Question 1 - Number of Unique IP Addresses

# Answer -

In [8]:
answer1 = len(df['IP Addresses'].unique())
print(f"The number of unique IP addresses in the log file is {answer1}.")

The number of unique IP addresses in the log file is 11.


# Question 2 - Top 3 Most Visited URLs

In [9]:
df.head()

Unnamed: 0,Timestamp,Request Type,URLs,IP Addresses,Browser Information
0,[10/Jul/2018:22:21:28 +0200],GET,/intranet-analytics/,177.71.128.21,Mozilla/5.0 (X11; U; Linux x86_64; fr-FR) Appl...
1,[09/Jul/2018:10:11:30 +0200],GET,http://example.net/faq/,168.41.191.40,Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; H...
2,[11/Jul/2018:17:41:30 +0200],GET,/this/page/does/not/exist/,168.41.191.41,Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; H...
3,[09/Jul/2018:10:10:38 +0200],GET,http://example.net/blog/category/meta/,168.41.191.40,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7)...
4,[10/Jul/2018:22:22:08 +0200],GET,/blog/2018/08/survey-your-opinion-matters/,177.71.128.21,Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKi...


Initially I just took the frequency of the URLs I extracted, but I didn't really feel like that answer was correct

E.g -

In [10]:
df['URLs'].value_counts().sort_values(ascending = False).head(3)

/docs/manage-websites/        2
/intranet-analytics/          1
/this/page/does/not/exist/    1
Name: URLs, dtype: int64



After looking at the URLs a bit closer, I realised that things like /docs/ or /faq/ repeated, so I thought that the domain was what you're looking for 

In [11]:
domains = []
for row in df['URLs']:
    if "http://" in row:
        domains.append(row.split('/')[2])
    else:
        domains.append(row.split('/')[1])

In [12]:
import collections
counter = collections.Counter(domains)
counter

Counter({'intranet-analytics': 1,
         'example.net': 2,
         'this': 1,
         'blog': 2,
         'docs': 4,
         'faq': 3,
         'asset.js': 1,
         'to-an-error': 1,
         '': 1,
         'moved-permanently': 1,
         'temp-redirect': 1,
         'translations': 1,
         'newsletter': 1,
         'hosting': 1,
         'download': 1,
         'asset.css': 1})

# Answer -

In [13]:
# Code taken from https://stackoverflow.com/questions/44076269/sort-counter-by-frequency-then-alphabetically-in-python
# Searched for 'python collections counter sort by frequency'

visited_urls = sorted(counter.items(), key = lambda item: (-item[1], item[0]))

# Adjust for how many URLs you want to see (e.g - task asks for 3)
TOP_X = 3

i = 0
while i < TOP_X:
    print(f"The website {visited_urls[i][0]} was visited {visited_urls[i][1]} times.")
    i += 1

The website docs was visited 4 times.
The website faq was visited 3 times.
The website blog was visited 2 times.


# Question 3 - Top 3 Most Active IP Addresses

In [14]:
df['IP Addresses'].head()

0    177.71.128.21
1    168.41.191.40
2    168.41.191.41
3    168.41.191.40
4    177.71.128.21
Name: IP Addresses, dtype: object

I started off with the same approach as Question 2 - a value_counts + sort_values approach, but again, didn't really get conclusive answers.

I then looked up what the numbers that make up an IP Address actually mean, and found that the first 3 sections are the Network ID, and the last section is the Host ID. I noticed in the sample data that the first 3 sections repeated often, with the last bit varying, so I took 'most active' IP address to mean most active network 

In [15]:
network_id = []
host_id = []

for row in df['IP Addresses']:
    network_id.append(row.split('.')[0] + '.' + row.split('.')[1] + '.' + row.split('.')[2])
    host_id.append(row.split('.')[-1])

# Answer -

In [16]:
df2 = pd.DataFrame()
df2['Network ID'] = network_id
df2['Host ID'] = host_id
df2.head()

Unnamed: 0,Network ID,Host ID
0,177.71.128,21
1,168.41.191,40
2,168.41.191,41
3,168.41.191,40
4,177.71.128,21


In [17]:
df2['Network ID'].value_counts().head(3)

168.41.191    11
50.112.00      4
72.44.32       4
Name: Network ID, dtype: int64