In [344]:
import pandas as pd
import numpy as np
import gzip
import re
import dateutil.parser

In [438]:
class DataAnalysis(object):
    def __init__(self,gzip_path,session_period):
        '''
        purpose : read data from gzip and transform data into dataframe
        param gzip_path      : path of data
        param session_period : define total time for a session (unit: second)
        '''
        # a list of all column name
        self.column_list=[
        'timestamp',
        'elb',
        'client:port',
        'backend:port',
        'request_processing_time',
        'backend_processing_time',
        'response_processing_time',
        'elb_status_code',
        'backend_status_code',
        'received_bytes',
        'sent_bytes',
        'request',
        'user_agent',
        'ssl_cipher',
        'ssl_protocol']
        self.session_period=session_period
        self.content_list=[]
        with gzip.open(gzip_path, 'rb') as f:
            for row in f:

                variable_row=re.split((" (?=(?:[^\"]*\"[^\"]*\")*[^\"]*$)"),row.strip().decode())

                #string split succefully
                if len(variable_row)==len(self.column_list):
                    pass
                # double quotation in request dealing       
                else:
                    request=re.search("GET.*HTTP/[0-9]+.[0-9]+",row.strip().decode())[0]
                    row_update=re.sub('"GET.*HTTP/[0-9]+.[0-9]+" ','',row.strip().decode())
                    variable_row=re.split((" (?=(?:[^\"]*\"[^\"]*\")*[^\"]*$)"),row_update)
                    variable_row.insert(self.column_list.index('request'),request)
                self.content_list.append(variable_row)        
        self.log_dataframe=pd.DataFrame(self.content_list,columns=self.column_list)
        # format 'timestamp' from str into timestamp
        self.log_dataframe['timestamp']=self.log_dataframe['timestamp'].apply(lambda x:dateutil.parser.parse(x))
    def SessionAnalysis(self):
        '''
        Q1      : session analysis
        purpose : aggregrate all page hits by visitor/IP during a defined session
        '''
        self.result_dict={}
        # select and sort by client:port,timestamp and tansform dataframe into list
        for index,item in enumerate(self.log_dataframe[['client:port','timestamp']].sort_values(by=['client:port','timestamp']).values.tolist()):
            if item[0] not in self.result_dict.keys():
                self.result_dict[item[0]]=[[item[1]]]
            else:
                if (item[1]-self.result_dict[item[0]][-1][0]).total_seconds()<self.session_period:            
                    self.result_dict[item[0]][-1].append(item[1])
                else:
                    self.result_dict[item[0]].append([item[1]])
        
        #total clicks for all sessions
        sum_all_session=sum([len(session) for item in self.result_dict.values() for session in item])
        # total session numbers
        session_num=len([len(session) for item in self.result_dict.values() for session in item])
        
        # average click times per session
        return sum_all_session/session_num
    def SessionAverageTime(self):
        '''
        Q2      : average session time
        purpose : aggregrate average session time during a session period
        '''
        self.average_time_dict={}
        for key in self.result_dict.keys():
            
            # record time period between the first and the last request
            for session in self.result_dict[key]:
            
                #ignore only  one click during a session
                if len(session) ==1:
                    pass
                
                elif key not in self.average_time_dict.keys():
                    self.average_time_dict[key]=[(session[-1]-session[0]).total_seconds()]
                
                else:
                    self.average_time_dict[key].append((session[-1]-session[0]).total_seconds())
        
        
        
        # total session time
        total_session_time=sum([time for session in self.average_time_dict.values() for time in session])       
        # total session number
        total_session_numbers=len([time for session in self.average_time_dict.values() for time in session])
        
        # return average time (seconds)
        return  total_session_time / total_session_numbers
    def DistinctSessionAnalysis(self):
        '''
        Q3      : session analysis with distinct visited URL
        purpose : aggregrate all dustinct URLs hits by visitor/IP during a defined session
        '''
        self.result_dict={}
        # select and sort by client:port,timestamp and tansform dataframe into list
        for index,item in enumerate(self.log_dataframe[['client:port','timestamp','request']].sort_values(by=['client:port','timestamp']).values.tolist()):

            if item[0] not in self.result_dict.keys():
                distinct=[]
                self.result_dict[item[0]]=[[item[1]]]
                distinct.append(item[2])
            else:
                if (item[1]-self.result_dict[item[0]][-1][0]).total_seconds()<self.session_period:            
                    # only record distinct request
                    if item[2] not in distinct:
                        self.result_dict[item[0]][-1].append(item[1])
                    else:
                        pass
                else:
                    distinct=[]
                    self.result_dict[item[0]].append([item[1]])
                    distinct.append(item[2])
        
        #total clicks for all sessions
        distinct_sum_all_session=sum([len(session) for item in self.result_dict.values() for session in item])
        # total session numbers
        distinct_session_num=len([len(session) for item in self.result_dict.values() for session in item])
        
        # average click times per session
        return distinct_sum_all_session / distinct_session_num
    
    def MostEngagedUsers(self):
        '''
        Q4      : most engaged users
        purpose : find out the ip with the longest within a session
        '''       
        # use session time record (SessionAverageTime) in Q2 to aggregate result
        self.engaged_time={}
        for IP in self.average_time_dict.keys():
            
            if sum(self.average_time_dict[IP]) not in self.engaged_time.keys():
                self.engaged_time[sum(self.average_time_dict[IP])]=[IP]
            else:
                self.engaged_time[sum(self.average_time_dict[IP])].append(IP)

        longest_session_time=max(self.engaged_time.keys()) 
        most_engaged_users_list=self.engaged_time[longest_session_time]  
        # return the user with the longest duration of all sessions
        return most_engaged_users_list,longest_session_time      

## Processing & Analytical goals:

1. Sessionize the web log by IP. Sessionize = aggregrate all page hits by visitor/IP during a session.
    https://en.wikipedia.org/wiki/Session_(web_analytics)

2. Determine the average session time

3. Determine unique URL visits per session. To clarify, count a hit to a unique URL only once per session.

4. Find the most engaged users, ie the IPs with the longest session times

In [440]:
gzip_path_str='data/2015_07_22_mktplace_shop_web_log_sample.log.gz'
# define 1800 seconds as a session
session_period_int=1800
data=DataAnalysis(gzip_path=gzip_path_str,session_period=session_period_int)

# Q1 average clicks per session (defined session as 1800 seconds)
resultQ1=data.SessionAnalysis()
print('average clicks per session(%s seconds): '%session_period_int,resultQ1)

# Q2 average clicks per session (defined session as 1800 seconds)
resultQ2=data.SessionAverageTime()
print('average session time(seconds) per session(%s seconds): '%session_period_int,resultQ2)

# Q3 average distinct urls visited per session (defined session as 1800 seconds)
resultQ3=data.DistinctSessionAnalysis()
print('unique URL visits per session(%s seconds): '%session_period_int,resultQ3)
# Q4 most engaged users per session (defined session as 1800 seconds)
resultQ4,overall_duration_time=data.MostEngagedUsers()
if len(resultQ4)==1:
    print('With the longest overall session time at %s seconds, the most engaged user is: '%overall_duration_time,resultQ4[0])
else:
    print('With the longest overall session time at %s seconds, the most engaged users are: '%overall_duration_time,resultQ4)


average clicks per session(1800 seconds):  2.658091634755036
average session time(seconds) per session(1800 seconds):  59.710654312987316
unique URL visits per session(1800 seconds):  2.5680905104866705
With the longest overall session time at 4718.3 seconds, the most engaged user is:  203.191.34.178:10400


In [395]:
data.log_dataframe.head(20)

Unnamed: 0,timestamp,elb,client:port,backend:port,request_processing_time,backend_processing_time,response_processing_time,elb_status_code,backend_status_code,received_bytes,sent_bytes,request,user_agent,ssl_cipher,ssl_protocol
0,2015-07-22 09:00:28.019143+00:00,marketpalce-shop,123.242.248.130:54635,10.0.6.158:80,2.2e-05,0.026109,2e-05,200,200,0,699,"""GET https://paytm.com:443/shop/authresponse?c...","""Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebK...",ECDHE-RSA-AES128-GCM-SHA256,TLSv1.2
1,2015-07-22 09:00:27.894580+00:00,marketpalce-shop,203.91.211.44:51402,10.0.4.150:80,2.4e-05,0.15334,2.6e-05,200,200,0,1497,"""GET https://paytm.com:443/shop/wallet/txnhist...","""Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/2...",ECDHE-RSA-AES128-GCM-SHA256,TLSv1.2
2,2015-07-22 09:00:27.885745+00:00,marketpalce-shop,1.39.32.179:56419,10.0.4.244:80,2.4e-05,0.164958,1.7e-05,200,200,0,157,"""GET https://paytm.com:443/shop/wallet/txnhist...","""Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537....",ECDHE-RSA-AES128-GCM-SHA256,TLSv1.2
3,2015-07-22 09:00:28.048369+00:00,marketpalce-shop,180.179.213.94:48725,10.0.6.108:80,2e-05,0.002333,2.1e-05,200,200,0,35734,"""GET https://paytm.com:443/shop/p/micromax-yu-...","""-""",ECDHE-RSA-AES128-GCM-SHA256,TLSv1.2
4,2015-07-22 09:00:28.036251+00:00,marketpalce-shop,120.59.192.208:13527,10.0.4.217:80,2.4e-05,0.015091,1.6e-05,200,200,68,640,"""POST https://paytm.com:443/papi/v1/expresscar...","""Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebK...",ECDHE-RSA-AES128-GCM-SHA256,TLSv1.2
5,2015-07-22 09:00:28.033793+00:00,marketpalce-shop,117.239.195.66:50524,10.0.6.195:80,2.4e-05,0.02157,2.1e-05,200,200,0,60,"""GET https://paytm.com:443/api/user/favourite?...","""Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537....",ECDHE-RSA-AES128-GCM-SHA256,TLSv1.2
6,2015-07-22 09:00:28.055029+00:00,marketpalce-shop,101.60.186.26:33177,10.0.4.244:80,2e-05,0.001098,2.2e-05,200,200,0,1150,"""GET https://paytm.com:443/favicon.ico HTTP/1.1""","""Mozilla/5.0 (Windows NT 6.3; rv:27.0) Gecko/2...",ECDHE-RSA-AES128-GCM-SHA256,TLSv1.2
7,2015-07-22 09:00:28.050298+00:00,marketpalce-shop,59.183.41.47:62014,10.0.4.227:80,2.1e-05,0.008161,2.1e-05,200,200,0,72,"""GET https://paytm.com:443/papi/rr/products/69...","""Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebK...",ECDHE-RSA-AES128-GCM-SHA256,TLSv1.2
8,2015-07-22 09:00:28.059081+00:00,marketpalce-shop,117.239.195.66:50538,10.0.4.227:80,1.9e-05,0.001035,2.1e-05,200,200,0,396,"""GET https://paytm.com:443/images/greyStar.png...","""Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537....",ECDHE-RSA-AES128-GCM-SHA256,TLSv1.2
9,2015-07-22 09:00:28.054939+00:00,marketpalce-shop,183.83.237.83:49687,10.0.6.108:80,2.3e-05,0.008762,2.1e-05,200,200,0,214,"""GET https://paytm.com:443/shop/cart?channel=w...","""Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebK...",ECDHE-RSA-AES128-GCM-SHA256,TLSv1.2


In [384]:
session_second=1800
# for i in 
dic={}
for index,item in enumerate(data.log_dataframe[['client:port','timestamp']].iloc[:10000,:].sort_values(by=['client:port','timestamp']).values.tolist()):
    if item[0] not in dic.keys():
        dic[item[0]]=[[item[1]]]
    else:
        if (item[1]-dic[item[0]][-1][0]).total_seconds()<session_second:            
            dic[item[0]][-1].append(item[1])
        else:
            dic[item[0]].append([item[1]])
            

In [374]:
data.log_dataframe[['client:port','timestamp']].iloc[:10,:].sort_values(by=['client:port','timestamp']).transpose().values.tolist()

[['1.39.32.179:56419',
  '101.60.186.26:33177',
  '117.239.195.66:50524',
  '117.239.195.66:50538',
  '120.59.192.208:13527',
  '123.242.248.130:54635',
  '180.179.213.94:48725',
  '183.83.237.83:49687',
  '203.91.211.44:51402',
  '59.183.41.47:62014'],
 [Timestamp('2015-07-22 09:00:27.885745+0000', tz='tzutc()'),
  Timestamp('2015-07-22 09:00:28.055029+0000', tz='tzutc()'),
  Timestamp('2015-07-22 09:00:28.033793+0000', tz='tzutc()'),
  Timestamp('2015-07-22 09:00:28.059081+0000', tz='tzutc()'),
  Timestamp('2015-07-22 09:00:28.036251+0000', tz='tzutc()'),
  Timestamp('2015-07-22 09:00:28.019143+0000', tz='tzutc()'),
  Timestamp('2015-07-22 09:00:28.048369+0000', tz='tzutc()'),
  Timestamp('2015-07-22 09:00:28.054939+0000', tz='tzutc()'),
  Timestamp('2015-07-22 09:00:27.894580+0000', tz='tzutc()'),
  Timestamp('2015-07-22 09:00:28.050298+0000', tz='tzutc()')]]

In [378]:
dic.keys()

dict_keys(['1.39.32.179:56419', Timestamp('2015-07-22 09:00:27.885745+0000', tz='tzutc()')])

In [None]:
data.log_dataframe.timestamp.max(),data.log_dataframe.timestamp.min()

In [334]:
q.timestamp.min()

Timestamp('2015-07-22 05:09:10.708356+0000', tz='tzutc()')

In [278]:
column_list=[
'timestamp',
'elb',
'client:port',
'backend:port',
'request_processing_time',
'backend_processing_time',
'response_processing_time',
'elb_status_code',
'backend_status_code',
'received_bytes',
'sent_bytes',
'request',
'user_agent',
'ssl_cipher',
'ssl_protocol']
content_list=[]
with gzip.open('data/2015_07_22_mktplace_shop_web_log_sample.log.gz', 'rb') as f:
    for row in f:
        
        variable_row=re.split((" (?=(?:[^\"]*\"[^\"]*\")*[^\"]*$)"),row.strip().decode())
        
        #string split succefully
        if len(variable_row)==len(column_list):
            pass
        # double quotation        
        else:
            request=re.search("GET.*HTTP/[0-9]+.[0-9]+",row.strip().decode())[0]
            row_update=re.sub('"GET.*HTTP/[0-9]+.[0-9]+" ','',row.strip().decode())
            variable_row=re.split((" (?=(?:[^\"]*\"[^\"]*\")*[^\"]*$)"),row_update)
            variable_row.insert(column_list.index('request'),request)
        
        content_list.append(variable_row)

In [276]:
content_list[496260]

['2015-07-22T16:10:50.867328Z',
 'marketpalce-shop',
 '59.93.224.85:12012',
 '10.0.4.244:80',
 '0.000024',
 '0.003478',
 '0.000016',
 '200',
 '200',
 '0',
 '1999',
 '"GET https://paytm.com:443/offer/wp-content/plugins/wc-gallery/includes/css/magnific-popup.css?ver=0.9.9 HTTP/1.1"',
 '"Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; HTC One X+ Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"',
 'ECDHE-RSA-AES128-SHA',
 'TLSv1']

In [277]:
q[0]

b'2015-07-22T16:10:50.873283Z marketpalce-shop 106.51.132.54:4210 10.0.6.99:81 0.000024 0.000215 0.00002 301 301 0 178 "GET http://paytm.com:80/%27"()&%251%3CScRiPt%20%3Eprompt(981045)%3C/ScRiPt%3E/about HTTP/1.1" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" - -\n'

In [284]:
for i in [496261,
 496278,
 496681,
 496708,
 496964,
 497003,
 497229,
 497256,
 497725,
 497766,
 497963,
 497986]:
    print(content_list[i])
    print()
    print()
    print()

['2015-07-22T16:10:50.873283Z', 'marketpalce-shop', '106.51.132.54:4210', '10.0.6.99:81', '0.000024', '0.000215', '0.00002', '301', '301', '0', '178', 'GET http://paytm.com:80/%27"()&%251%3CScRiPt%20%3Eprompt(981045)%3C/ScRiPt%3E/about HTTP/1.1', '"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"', '-', '-']



['2015-07-22T16:10:50.917039Z', 'marketpalce-shop', '106.51.132.54:4170', '10.0.4.150:80', '0.000025', '0.004734', '0.000014', '200', '200', '0', '13820', 'GET https://paytm.com:443/\'"()&%251<ScRiPt%20>prompt(981045)</ScRiPt>/about HTTP/1.1', '"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"', 'DHE-RSA-AES128-SHA', 'TLSv1']



['2015-07-22T16:10:51.693786Z', 'marketpalce-shop', '106.51.132.54:4213', '10.0.4.227:81', '0.000023', '0.001021', '0.000022', '301', '301', '0', '178', 'GET http://paytm.com:80/%27"()&%251%3CScRiPt%20%3Eprompt(979725)%3C/ScRiPt%3E/bug-bounty HTTP/1.1', '"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW

In [279]:
from collections import Counter
dic={}
for ix,i in enumerate(content_list):
    if len(i) not in dic.keys():
        dic[len(i)]=[ix]
    else:
        dic[len(i)].append(ix)
    

In [280]:
dic.keys()

dict_keys([15])

In [112]:
q=[]
with gzip.open('data/2015_07_22_mktplace_shop_web_log_sample.log.gz', 'rb') as f:
    for index,row in enumerate(f):
        if index in dic[5]:
            q.append(row)

In [274]:
dic[14]

[496261,
 496278,
 496681,
 496708,
 496964,
 497003,
 497229,
 497256,
 497725,
 497766,
 497963,
 497986]

In [281]:
content_list[496260]

['2015-07-22T16:10:50.867328Z',
 'marketpalce-shop',
 '59.93.224.85:12012',
 '10.0.4.244:80',
 '0.000024',
 '0.003478',
 '0.000016',
 '200',
 '200',
 '0',
 '1999',
 '"GET https://paytm.com:443/offer/wp-content/plugins/wc-gallery/includes/css/magnific-popup.css?ver=0.9.9 HTTP/1.1"',
 '"Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; HTC One X+ Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"',
 'ECDHE-RSA-AES128-SHA',
 'TLSv1']

In [218]:
content_list[496244]

IndexError: list index out of range

In [124]:
q[0].split()

[b'2015-07-22T16:10:50.873283Z',
 b'marketpalce-shop',
 b'106.51.132.54:4210',
 b'10.0.6.99:81',
 b'0.000024',
 b'0.000215',
 b'0.00002',
 b'301',
 b'301',
 b'0',
 b'178',
 b'"GET',
 b'http://paytm.com:80/%27"()&%251%3CScRiPt%20%3Eprompt(981045)%3C/ScRiPt%3E/about',
 b'HTTP/1.1"',
 b'"Mozilla/5.0',
 b'(compatible;',
 b'MSIE',
 b'9.0;',
 b'Windows',
 b'NT',
 b'6.1;',
 b'WOW64;',
 b'Trident/5.0)"',
 b'-',
 b'-']

In [192]:
re.search('^La.*le$',"Larry loves apple")

<re.Match object; span=(0, 17), match='Larry loves apple'>

In [182]:
q[0].strip().decode()

'2015-07-22T16:10:50.873283Z marketpalce-shop 106.51.132.54:4210 10.0.6.99:81 0.000024 0.000215 0.00002 301 301 0 178 "GET http://paytm.com:80/%27"()&%251%3CScRiPt%20%3Eprompt(981045)%3C/ScRiPt%3E/about HTTP/1.1" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" - -'

In [194]:
re.findall('^GET.*',q[0].strip().decode())

[]

In [None]:
/^La.*le$/

In [254]:
re.search(' "GET.*HTTP/[0-9]+.[0-9]+"',q[0].strip().decode())[0]

' "GET http://paytm.com:80/%27"()&%251%3CScRiPt%20%3Eprompt(981045)%3C/ScRiPt%3E/about HTTP/1.1"'

In [261]:
re.split(" (?=(?:[^\"]*\"[^\"]*\")*[^\"]*$)",re.sub(' "GET.*HTTP/[0-9]+.[0-9]+" ','',q[2].strip().decode()))

['2015-07-22T16:10:51.693786Z',
 'marketpalce-shop',
 '106.51.132.54:4213',
 '10.0.4.227:81',
 '0.000023',
 '0.001021',
 '0.000022',
 '301',
 '301',
 '0',
 '178"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"',
 '-',
 '-']

In [262]:
q[10]

b'2015-07-22T16:10:54.948009Z marketpalce-shop 106.51.132.54:4233 10.0.4.150:81 0.000026 0.00113 0.000018 301 301 0 178 "GET http://paytm.com:80/%27"()&%251%3CScRiPt%20%3Eprompt(940817)%3C/ScRiPt%3E/termsconditions HTTP/1.1" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" - -\n'

In [None]:
pd.read_csv('data/2015_07_22_mktplace_shop_web_log_sample.log.gz',)