In [1]:
from pyspark.sql.functions import *
from pyspark.sql.types import *
userSchema = StructType() \
        .add("window",StructType()\
             .add("start",TimestampType())\
             .add("end",TimestampType()))\
        .add("system", StringType())\
        .add("count", LongType())

In [89]:
raw_data = spark\
.readStream.format("parquet")\
.schema(userSchema)\
.load("/cms/users/carizapo/ming/groupdata_cmsweb_logs");
raw_data.printSchema()

root
 |-- window: struct (nullable = true)
 |    |-- start: timestamp (nullable = true)
 |    |-- end: timestamp (nullable = true)
 |-- system: string (nullable = true)
 |-- count: long (nullable = true)



In [23]:
temp_data = spark\
.read.format("parquet")\
.load("/cms/users/carizapo/ming/groupdata_cmsweb_logs");
temp_data.printSchema()

root
 |-- window: struct (nullable = false)
 |    |-- start: timestamp (nullable = true)
 |    |-- end: timestamp (nullable = true)
 |-- system: string (nullable = true)
 |-- count: long (nullable = false)



In [15]:
temp_data.show()

+--------------------+--------------------+-----+
|              window|              system|count|
+--------------------+--------------------+-----+
|[2019-06-21 10:02...|/das/request?pid=...|    4|
|[2019-06-21 09:29...|/das/request?pid=...|    3|
|[2019-06-21 09:44...|/das/request?pid=...|    9|
|[2019-06-21 09:44...|/das/request?pid=...|    6|
|[2019-06-21 09:43...|/das/request?pid=...|    1|
|[2019-06-21 10:02...|/das/request?inst...|    1|
|[2019-06-21 09:28...|/das/request?inst...|    1|
|[2019-06-21 09:44...|/das/request?inst...|    1|
|[2019-06-21 09:44...|/das/request?inpu...|    1|
|[2019-06-21 09:43...|/das/request?inst...|    1|
|[2019-06-21 09:53...|/das/request?pid=...|    1|
|[2019-06-21 09:23...|/das/request?pid=...|    2|
|[2019-06-21 09:53...|/das/request?view...|    1|
|[2019-06-21 09:23...|/das/request?view...|    1|
|[2019-06-21 09:38...|/dqm/offline/data...|    1|
|[2019-06-21 09:38...|/dqm/offline/data...|    1|
|[2019-06-21 09:42...|/dqm/offline/data...|    1|


In [74]:
from pyspark.sql import Window

#function to calculate number of seconds from number of days
days = lambda i: i * 86400

w = Window.partitionBy('system',window("window.start", "7 days"))
# .orderBy(col("window.start").cast('long')).rangeBetween(-days(7), 0)

freq_analyze_df=temp_data.select('*', avg('count').over(w).alias('avg')).sort('system','window')\
.select('*', (col('count') - first('avg').over(w)).alias('diff'))\
.select('*', when((abs(col('diff')) > col('avg')*0.7), 1).otherwise(0).alias('label'))
freq_analyze_df.show()

+--------------------+------+-----+----+-----+-----+
|              window|system|count| avg| diff|label|
+--------------------+------+-----+----+-----+-----+
|[2019-06-21 09:39...|   dqm|   10|21.5|-11.5|    0|
|[2019-06-21 09:42...|   dqm|   22|21.5|  0.5|    0|
|[2019-06-21 09:43...|   dqm|   34|21.5| 12.5|    0|
|[2019-06-21 09:44...|   dqm|   65|21.5| 43.5|    1|
|[2019-06-21 09:45...|   dqm|    5|21.5|-16.5|    1|
|[2019-06-21 09:53...|   dqm|   29|21.5|  7.5|    0|
|[2019-06-21 09:57...|   dqm|    1|21.5|-20.5|    1|
|[2019-06-21 09:58...|   dqm|    1|21.5|-20.5|    1|
|[2019-06-21 09:23...|   dqm|   18|21.5| -3.5|    0|
|[2019-06-21 09:24...|   dqm|    4|21.5|-17.5|    1|
|[2019-06-21 09:27...|   dqm|   12|21.5| -9.5|    0|
|[2019-06-21 09:28...|   dqm|   30|21.5|  8.5|    0|
|[2019-06-21 09:29...|   dqm|   39|21.5| 17.5|    1|
|[2019-06-21 09:30...|   dqm|   14|21.5| -7.5|    0|
|[2019-06-21 09:38...|   dqm|   26|21.5|  4.5|    0|
|[2019-06-21 09:59...|   dqm|   24|21.5|  2.5|

In [91]:
raw_data=raw_data.join(freq_analyze_df, ["system","window","count"], "inner")
raw_data.printSchema()

root
 |-- system: string (nullable = true)
 |-- window: struct (nullable = true)
 |    |-- start: timestamp (nullable = true)
 |    |-- end: timestamp (nullable = true)
 |-- count: long (nullable = true)
 |-- avg: double (nullable = true)
 |-- diff: double (nullable = true)
 |-- label: integer (nullable = false)



In [92]:
raw_data_flow = raw_data.writeStream.queryName("hdfs").outputMode("Append").format("memory").start()

In [90]:
raw_data_flow.stop()

In [15]:
# concat_data = raw_data.withColumn('feature', concat(col('system'), col('count'))).writeStream.queryName("concat").outputMode("Append").format("memory").start()

In [106]:
# concat_data.stop()

In [95]:
spark.streams.active

[<pyspark.sql.streaming.StreamingQuery at 0x7ff86a73cd30>]

In [99]:
raw_data_flow.lastProgress
# raw_data_flow.processAllAvailable()

{'id': 'fb161127-f1f7-4b1c-b1fe-ecfa1ad686ce',
 'runId': '9e0f330c-6ea9-4ed7-a3a5-df1eb33d7989',
 'name': 'hdfs',
 'timestamp': '2019-06-26T11:28:16.875Z',
 'batchId': 1,
 'numInputRows': 0,
 'inputRowsPerSecond': 0.0,
 'processedRowsPerSecond': 0.0,
 'durationMs': {'getOffset': 492, 'triggerExecution': 492},
 'stateOperators': [],
 'sources': [{'description': 'FileStreamSource[hdfs://analytix/cms/users/carizapo/ming/groupdata_cmsweb_logs]',
   'startOffset': {'logOffset': 0},
   'endOffset': {'logOffset': 0},
   'numInputRows': 0,
   'inputRowsPerSecond': 0.0,
   'processedRowsPerSecond': 0.0}],
 'sink': {'description': 'MemorySink'}}

In [100]:
alerts = spark.sql("select * from hdfs")
alerts.show()

+------+--------------------+-----+----+-----+-----+
|system|              window|count| avg| diff|label|
+------+--------------------+-----+----+-----+-----+
|   dqm|[2019-06-21 09:57...|    1|21.5|-20.5|    1|
|   dqm|[2019-06-21 09:58...|    1|21.5|-20.5|    1|
|   dqm|[2019-06-21 09:59...|   24|21.5|  2.5|    0|
|   dqm|[2019-06-21 10:00...|   19|21.5| -2.5|    0|
|   dqm|[2019-06-21 09:24...|    4|21.5|-17.5|    1|
|   dqm|[2019-06-21 09:27...|   12|21.5| -9.5|    0|
|   dqm|[2019-06-21 09:28...|   30|21.5|  8.5|    0|
|   dqm|[2019-06-21 09:29...|   39|21.5| 17.5|    1|
|   dqm|[2019-06-21 09:30...|   14|21.5| -7.5|    0|
|   dqm|[2019-06-21 09:38...|   26|21.5|  4.5|    0|
|   dqm|[2019-06-21 09:39...|   10|21.5|-11.5|    0|
|   dqm|[2019-06-21 09:42...|   22|21.5|  0.5|    0|
|   dqm|[2019-06-21 09:43...|   34|21.5| 12.5|    0|
|   dqm|[2019-06-21 09:44...|   65|21.5| 43.5|    1|
|   dqm|[2019-06-21 09:45...|    5|21.5|-16.5|    1|
|   dqm|[2019-06-21 09:53...|   29|21.5|  7.5|

In [18]:
alerts = spark.sql("select * from concat")
alerts.show()

+--------------------+--------------------+-----+--------------------+
|              window|              system|count|             feature|
+--------------------+--------------------+-----+--------------------+
|[2019-06-21 10:02...|/das/request?pid=...|    4|/das/request?pid=...|
|[2019-06-21 09:29...|/das/request?pid=...|    3|/das/request?pid=...|
|[2019-06-21 09:44...|/das/request?pid=...|    9|/das/request?pid=...|
|[2019-06-21 09:44...|/das/request?pid=...|    6|/das/request?pid=...|
|[2019-06-21 09:43...|/das/request?pid=...|    1|/das/request?pid=...|
|[2019-06-21 10:02...|/das/request?inst...|    1|/das/request?inst...|
|[2019-06-21 09:28...|/das/request?inst...|    1|/das/request?inst...|
|[2019-06-21 09:44...|/das/request?inst...|    1|/das/request?inst...|
|[2019-06-21 09:44...|/das/request?inpu...|    1|/das/request?inpu...|
|[2019-06-21 09:43...|/das/request?inst...|    1|/das/request?inst...|
|[2019-06-21 09:53...|/das/request?pid=...|    1|/das/request?pid=...|
|[2019