In [20]:
import pandas as pd
import numpy as np
from pathlib import Path
import re
from datetime import datetime
import warnings
warnings.filterwarnings('ignore')

PROJECT_ROOT = Path(r"C:\Computer Science\AIMLDL\log-anomaly-detection")
DATASET_PATH = PROJECT_ROOT / "dataset"
LABELED_DATA_PATH = DATASET_PATH / "labeled_data"

In [None]:
def parse_android_timestamp(row):
    try:
        date_str = str(row['Date']).strip()
        time_str = str(row['Time']).strip()
        current_year = datetime.now().year
        dt = datetime.strptime(f"{current_year}-{date_str} {time_str}", "%Y-%m-%d %H:%M:%S.%f")
        return dt.strftime("%Y-%m-%d %H:%M:%S.%f")[:-3]
    except:
        return None

def parse_apache_timestamp(row):
    try:
        time_str = str(row['Time']).strip()
        dt = datetime.strptime(time_str, "%a %b %d %H:%M:%S %Y")
        return dt.strftime("%Y-%m-%d %H:%M:%S.000")
    except:
        return None

def parse_bgl_timestamp(row):
    try:
        date_str = str(row['Date']).strip()
        dt = datetime.strptime(date_str, "%Y.%m.%d")
        return dt.strftime("%Y-%m-%d 00:00:00.000")
    except:
        return None

def parse_hadoop_timestamp(row):
    try:
        date_str = str(row['Date']).strip()
        time_str = str(row['Time']).strip().replace(',', '.')
        dt = datetime.strptime(f"{date_str} {time_str}", "%Y-%m-%d %H:%M:%S.%f")
        return dt.strftime("%Y-%m-%d %H:%M:%S.%f")[:-3]
    except:
        return None

def parse_hdfs_timestamp(row):
    try:
        date_str = str(row['Date']).strip()
        time_str = str(row['Time']).strip()
        
        year = "20" + date_str[:2]
        month = date_str[2:4]
        day = date_str[4:6]
        
        hour = time_str[:2]
        minute = time_str[2:4]
        second = time_str[4:6]
        
        dt = datetime(int(year), int(month), int(day), int(hour), int(minute), int(second))
        return dt.strftime("%Y-%m-%d %H:%M:%S.000")
    except:
        return None

def parse_healthapp_timestamp(row):
    try:
        time_str = str(row['Time']).strip()
        parts = time_str.split(':')
        if len(parts) >= 4:
            time_str = ':'.join(parts[:-1]) + '.' + parts[-1]
        dt = datetime.strptime(time_str, "%Y%m%d-%H:%M:%S.%f")
        return dt.strftime("%Y-%m-%d %H:%M:%S.%f")[:-3]
    except:
        return None

def parse_hpc_timestamp(row):
    try:
        timestamp = int(str(row['Time']).strip())
        dt = datetime.fromtimestamp(timestamp)
        return dt.strftime("%Y-%m-%d %H:%M:%S.000")
    except:
        return None

In [None]:
def parse_linux_timestamp(row):
    try:
        month_str = str(row['Month']).strip()
        date_str = str(row['Date']).strip()
        time_str = str(row['Time']).strip()
        current_year = datetime.now().year
        dt = datetime.strptime(f"{current_year} {month_str} {date_str} {time_str}", "%Y %b %d %H:%M:%S")
        return dt.strftime("%Y-%m-%d %H:%M:%S.000")
    except:
        return None

def parse_mac_timestamp(row):
    try:
        month_str = str(row['Month']).strip()
        date_str = str(row['Date']).strip()
        time_str = str(row['Time']).strip()
        current_year = datetime.now().year
        dt = datetime.strptime(f"{current_year} {month_str} {date_str} {time_str}", "%Y %b %d %H:%M:%S")
        return dt.strftime("%Y-%m-%d %H:%M:%S.000")
    except:
        return None

def parse_openssh_timestamp(row):
    try:
        month_str = str(row['Date']).strip() 
        day_str = str(row['Day']).strip()
        time_str = str(row['Time']).strip()
        current_year = datetime.now().year
        dt = datetime.strptime(f"{current_year} {month_str} {day_str} {time_str}", "%Y %b %d %H:%M:%S")
        return dt.strftime("%Y-%m-%d %H:%M:%S.000")
    except:
        return None

def parse_openstack_timestamp(row):
    try:
        date_str = str(row['Date']).strip()
        time_str = str(row['Time']).strip()
        dt = datetime.strptime(f"{date_str} {time_str}", "%Y-%m-%d %H:%M:%S.%f")
        return dt.strftime("%Y-%m-%d %H:%M:%S.%f")[:-3]
    except:
        return None

def parse_proxifier_timestamp(row):
    try:
        time_str = str(row['Time']).strip()
        current_year = datetime.now().year
        dt = datetime.strptime(f"{current_year}.{time_str}", "%Y.%m.%d %H:%M:%S")
        return dt.strftime("%Y-%m-%d %H:%M:%S.000")
    except:
        return None

def parse_spark_timestamp(row):
    try:
        date_str = str(row['Date']).strip()
        time_str = str(row['Time']).strip()
        dt = datetime.strptime(f"20{date_str} {time_str}", "%Y/%m/%d %H:%M:%S")
        return dt.strftime("%Y-%m-%d %H:%M:%S.000")
    except:
        return None

def parse_thunderbird_timestamp(row):
    try:
        if 'Month' in row and 'Day' in row and 'Time' in row:
            month_str = str(row['Month']).strip()
            day_str = str(row['Day']).strip()
            time_str = str(row['Time']).strip()
            current_year = datetime.now().year
            dt = datetime.strptime(f"{current_year} {month_str} {day_str} {time_str}", "%Y %b %d %H:%M:%S")
            return dt.strftime("%Y-%m-%d %H:%M:%S.000")
        elif 'Date' in row:
            date_str = str(row['Date']).strip()
            dt = datetime.strptime(date_str, "%Y.%m.%d")
            return dt.strftime("%Y-%m-%d 00:00:00.000")
        return None
    except:
        return None

def parse_windows_timestamp(row):
    try:
        date_str = str(row['Date']).strip()
        time_str = str(row['Time']).strip()
        dt = datetime.strptime(f"{date_str} {time_str}", "%Y-%m-%d %H:%M:%S")
        return dt.strftime("%Y-%m-%d %H:%M:%S.000")
    except:
        return None

def parse_zookeeper_timestamp(row):
    try:
        date_str = str(row['Date']).strip()
        time_str = str(row['Time']).strip().replace(',', '.')
        dt = datetime.strptime(f"{date_str} {time_str}", "%Y-%m-%d %H:%M:%S.%f")
        return dt.strftime("%Y-%m-%d %H:%M:%S.%f")[:-3]
    except:
        return None

In [23]:
def detect_log_type(filename):
    filename = filename.lower()
    if 'android' in filename:
        return 'android'
    elif 'apache' in filename:
        return 'apache'
    elif 'bgl' in filename:
        return 'bgl'
    elif 'hadoop' in filename:
        return 'hadoop'
    elif 'hdfs' in filename:
        return 'hdfs'
    elif 'health' in filename:
        return 'healthapp'
    elif 'hpc' in filename:
        return 'hpc'
    elif 'linux' in filename:
        return 'linux'
    elif 'mac' in filename:
        return 'mac'
    elif 'openssh' in filename:
        return 'openssh'
    elif 'openstack' in filename:
        return 'openstack'
    elif 'proxifier' in filename:
        return 'proxifier'
    elif 'spark' in filename:
        return 'spark'
    elif 'thunderbird' in filename:
        return 'thunderbird'
    elif 'windows' in filename:
        return 'windows'
    elif 'zookeeper' in filename or 'zookeper' in filename:
        return 'zookeeper'
    else:
        return 'unknown'

timestamp_parsers = {
    'android': parse_android_timestamp,
    'apache': parse_apache_timestamp,
    'bgl': parse_bgl_timestamp,
    'hadoop': parse_hadoop_timestamp,
    'hdfs': parse_hdfs_timestamp,
    'healthapp': parse_healthapp_timestamp,
    'hpc': parse_hpc_timestamp,
    'linux': parse_linux_timestamp,
    'mac': parse_mac_timestamp,
    'openssh': parse_openssh_timestamp,
    'openstack': parse_openstack_timestamp,
    'proxifier': parse_proxifier_timestamp,
    'spark': parse_spark_timestamp,
    'thunderbird': parse_thunderbird_timestamp,
    'windows': parse_windows_timestamp,
    'zookeeper': parse_zookeeper_timestamp
}

In [24]:
def normalize_timestamps_in_df(df, log_type):
    """
    Normalize timestamps in a dataframe based on log type
    
    Parameters:
    df: pandas DataFrame
    log_type: string indicating the log type
    
    Returns:
    DataFrame with normalized timestamps
    """
    df = df.copy()
    
    print(f"Normalizing timestamps for {log_type} logs...")
    print(f"Available columns: {list(df.columns)}")
    
    if log_type in timestamp_parsers:
        parser_func = timestamp_parsers[log_type]
        
        # Apply the parser function row-wise
        df['timestamp_normalized'] = df.apply(parser_func, axis=1)
        
        # Count successful conversions
        successful = df['timestamp_normalized'].notna().sum()
        total = len(df)
        print(f"Successfully normalized {successful}/{total} timestamps ({successful/total*100:.1f}%)")
        
        # Show some examples
        print("\nExample conversions:")
        examples = df[df['timestamp_normalized'].notna()].head(3)
        
        # Show original timestamp components and normalized result
        for idx, row in examples.iterrows():
            original_parts = []
            
            # Collect relevant timestamp columns based on log type
            if log_type == 'android':
                original_parts.append(f"Date: {row.get('Date', 'N/A')}, Time: {row.get('Time', 'N/A')}")
            elif log_type == 'hadoop':
                original_parts.append(f"Date: {row.get('Date', 'N/A')}, Time: {row.get('Time', 'N/A')}")
            elif log_type == 'hdfs':
                original_parts.append(f"Date: {row.get('Date', 'N/A')}, Time: {row.get('Time', 'N/A')}")
            elif log_type == 'linux':
                original_parts.append(f"Month: {row.get('Month', 'N/A')}, Date: {row.get('Date', 'N/A')}, Time: {row.get('Time', 'N/A')}")
            elif log_type == 'mac':
                original_parts.append(f"Month: {row.get('Month', 'N/A')}, Date: {row.get('Date', 'N/A')}, Time: {row.get('Time', 'N/A')}")
            elif log_type == 'openssh':
                original_parts.append(f"Date: {row.get('Date', 'N/A')}, Day: {row.get('Day', 'N/A')}, Time: {row.get('Time', 'N/A')}")
            elif log_type == 'openstack':
                original_parts.append(f"Date: {row.get('Date', 'N/A')}, Time: {row.get('Time', 'N/A')}")
            elif log_type == 'spark':
                original_parts.append(f"Date: {row.get('Date', 'N/A')}, Time: {row.get('Time', 'N/A')}")
            elif log_type == 'thunderbird':
                original_parts.append(f"Month: {row.get('Month', 'N/A')}, Day: {row.get('Day', 'N/A')}, Time: {row.get('Time', 'N/A')}")
            elif log_type == 'windows':
                original_parts.append(f"Date: {row.get('Date', 'N/A')}, Time: {row.get('Time', 'N/A')}")
            elif log_type == 'zookeeper':
                original_parts.append(f"Date: {row.get('Date', 'N/A')}, Time: {row.get('Time', 'N/A')}")
            else:
                # For single column timestamps
                time_cols = [col for col in row.index if col.lower() in ['time', 'date', 'timestamp']]
                if time_cols:
                    original_parts.append(f"{time_cols[0]}: {row.get(time_cols[0], 'N/A')}")
            
            original_str = original_parts[0] if original_parts else "N/A"
            print(f"  Original: {original_str}")
            print(f"  Normalized: {row['timestamp_normalized']}")
            print()
            
    else:
        print(f"Warning: Unknown log type '{log_type}'. Supported types: {list(timestamp_parsers.keys())}")
    
    return df

In [25]:
csv_files = list(LABELED_DATA_PATH.glob("*_labeled.csv"))
print(f"Found {len(csv_files)} labeled CSV files")

Found 6 labeled CSV files


In [26]:
processed_files = {}

for file_path in sorted(csv_files):
    print(f"\n{'='*60}")
    print(f"Processing: {file_path.name}")
    print(f"Size: {file_path.stat().st_size / (1024 * 1024):.2f} MB")
    
    log_type = detect_log_type(file_path.name)
    print(f"Detected log type: {log_type}")
    
    try:
        df = pd.read_csv(file_path)
        print(f"Loaded dataframe with shape: {df.shape}")
        print(f"Columns: {list(df.columns)}")
        
        if log_type != 'unknown':
            df_normalized = normalize_timestamps_in_df(df, log_type)
            processed_files[file_path.name] = {
                'original_df': df,
                'normalized_df': df_normalized,
                'log_type': log_type,
                'file_path': file_path
            }
        else:
            print(f"Skipping {file_path.name} - unknown log type")
            
    except Exception as e:
        print(f"Error processing {file_path.name}: {str(e)}")


Processing: Apache_2k_labeled.csv
Size: 0.29 MB
Detected log type: apache
Loaded dataframe with shape: (2000, 9)
Columns: ['LineId', 'Time', 'Level', 'Content', 'EventId', 'EventTemplate', 'AnomalyLabel', 'AnomalyLabelName', 'Source']
Normalizing timestamps for apache logs...
Available columns: ['LineId', 'Time', 'Level', 'Content', 'EventId', 'EventTemplate', 'AnomalyLabel', 'AnomalyLabelName', 'Source']
Successfully normalized 2000/2000 timestamps (100.0%)

Example conversions:
  Original: Time: Sun Dec 04 04:47:44 2005
  Normalized: 2005-12-04 04:47:44.000

  Original: Time: Sun Dec 04 04:47:44 2005
  Normalized: 2005-12-04 04:47:44.000

  Original: Time: Sun Dec 04 04:51:08 2005
  Normalized: 2005-12-04 04:51:08.000


Processing: BGL_2k_labeled.csv
Size: 0.45 MB
Detected log type: bgl
Loaded dataframe with shape: (2000, 16)
Columns: ['LineId', 'Label', 'Timestamp', 'Date', 'Node', 'Time', 'NodeRepeat', 'Type', 'Component', 'Level', 'Content', 'EventId', 'EventTemplate', 'AnomalyLa

In [27]:
normalized_output_path = LABELED_DATA_PATH / "normalized"
normalized_output_path.mkdir(exist_ok=True)

print(f"Saving normalized files to: {normalized_output_path}")

for filename, data in processed_files.items():
    try:
        normalized_df = data['normalized_df']
        output_filename = filename.replace('_labeled.csv', '_normalized.csv')
        output_path = normalized_output_path / output_filename
        
        normalized_df.to_csv(output_path, index=False)
        
        file_size_mb = output_path.stat().st_size / (1024 * 1024)
        print(f"Saved: {output_filename} ({file_size_mb:.2f} MB)")
        
    except Exception as e:
        print(f"Error saving {filename}: {str(e)}")

Saving normalized files to: C:\Computer Science\AIMLDL\log-anomaly-detection\dataset\labeled_data\normalized
✓ Saved: Apache_2k_normalized.csv (0.33 MB)
✓ Saved: BGL_2k_normalized.csv (0.49 MB)
✓ Saved: HPC_2k_normalized.csv (0.29 MB)
✓ Saved: OpenSSH_2k_normalized.csv (0.44 MB)
✓ Saved: Proxifier_2k_normalized.csv (0.43 MB)
✓ Saved: Zookeeper_2k_normalized.csv (0.45 MB)


In [28]:
total_records = 0
total_normalized = 0

for filename, data in processed_files.items():
    df = data['normalized_df']
    log_type = data['log_type']
    
    normalized_col = None
    for col in df.columns:
        if 'normalized' in col.lower():
            normalized_col = col
            break
    
    if normalized_col:
        records = len(df)
        normalized_count = df[normalized_col].notna().sum()
        success_rate = (normalized_count / records * 100) if records > 0 else 0
        
        total_records += records
        total_normalized += normalized_count
        
        print(f"\n{filename}")
        print(f"  Log type: {log_type}")
        print(f"  Total records: {records:,}")
        print(f"  Normalized: {normalized_count:,}")
        print(f"  Success rate: {success_rate:.1f}%")
        
        if normalized_count > 0:
            sample_timestamps = df[normalized_col].dropna().head(2).tolist()
            print(f"  Sample normalized: {sample_timestamps}")

overall_success_rate = (total_normalized / total_records * 100) if total_records > 0 else 0
print(f"\nOVERALL SUMMARY:")
print(f"Total records processed: {total_records:,}")
print(f"Total normalized: {total_normalized:,}")
print(f"Overall success rate: {overall_success_rate:.1f}%")


Apache_2k_labeled.csv
  Log type: apache
  Total records: 2,000
  Normalized: 2,000
  Success rate: 100.0%
  Sample normalized: ['2005-12-04 04:47:44.000', '2005-12-04 04:47:44.000']

BGL_2k_labeled.csv
  Log type: bgl
  Total records: 2,000
  Normalized: 2,000
  Success rate: 100.0%
  Sample normalized: ['2005-06-03 00:00:00.000', '2005-06-03 00:00:00.000']

HPC_2k_labeled.csv
  Log type: hpc
  Total records: 2,000
  Normalized: 2,000
  Success rate: 100.0%
  Sample normalized: ['2004-02-26 19:42:22.000', '2004-05-16 09:42:58.000']

OpenSSH_2k_labeled.csv
  Log type: openssh
  Total records: 2,000
  Normalized: 2,000
  Success rate: 100.0%
  Sample normalized: ['2025-12-10 06:55:46.000', '2025-12-10 06:55:46.000']

Proxifier_2k_labeled.csv
  Log type: proxifier
  Total records: 2,000
  Normalized: 2,000
  Success rate: 100.0%
  Sample normalized: ['2025-10-30 16:49:06.000', '2025-10-30 16:49:06.000']

Zookeeper_2k_labeled.csv
  Log type: zookeeper
  Total records: 2,000
  Normalized: