<img src="../img/logo_white_bkg_small.png" align="right" />


# Worksheet 1:  Exploring Your Data - Answers
This worksheet covers concepts covered in the first half of Module 1 - Exploratory Data Analysis in One Dimension.  It should take no more than 20-30 minutes to complete.  Please raise your hand if you get stuck.  

There are many ways to accomplish the tasks that you are presented with, however you will find that by using the techniques covered in class, the exercises should be relatively simple. 

## Import the Libraries
For this exercise, we will be using:
* Pandas (http://pandas.pydata.org/pandas-docs/stable/)
* Numpy (https://docs.scipy.org/doc/numpy/reference/)
* Matplotlib (http://matplotlib.org/api/pyplot_api.html)

In [8]:
import pandas as pd
import numpy as np
import matplotlib.pyplot as plt
import apache_log_parser
from user_agents import parse
from ipaddress import ip_address
DATA_HOME = '../data/'

## Exercise 1:  Splitting and Filtering a Series

In this exercise, you are given a list of email addresses called `emails`.  Your goal is to find the email accounts from domains that end in `.edu`.  To accomplish this, you will need to:
1. Filter the series to remove the emails that do not end in .edu
2. Extract the accounts. 

If you get stuck, refer to the documentation for Pandas string manipulation (http://pandas.pydata.org/pandas-docs/stable/text.html) or the slides.  Note that there are various functions to accomplish this task.

In [2]:
emails = ['alawrence0@prlog.org',
'blynch1@businessweek.com',
'mdixon2@cmu.edu',
'rvasquez3@1688.com',
'astone4@creativecommons.org',
'mcarter5@chicagotribune.com',
'dcole6@vinaora.com',
'kpeterson7@topsy.com',
'ewebb8@cnet.com',
'jtaylor9@google.ru',
'ecarra@buzzfeed.com',
'jjonesb@arizona.edu',
'jbowmanc@disqus.com',
'eduardo_sanchezd@npr.org',
'emooree@prweb.com',
'eberryf@brandeis.edu',
'sgardnerh@wikipedia.org',
'balvarezi@delicious.com',
'blewisj@privacy.gov.au']

In [3]:
email_series = pd.Series(emails)
filtered_emails = email_series[email_series.str.contains('.edu')]
print( filtered_emails )

2          mdixon2@cmu.edu
11     jjonesb@arizona.edu
15    eberryf@brandeis.edu
dtype: object


In [4]:
accounts = filtered_emails.str.split( '@').str[0]
print( accounts )

2     mdixon2
11    jjonesb
15    eberryf
dtype: object


## Exercise 2: Summarizing Web Server Logs 
In the data file, there is a webserver file called `hackers-access.httpd`.  For this exercise, you will use this file to answer the following questions:
1.  Which browsers are the top 10 most used browsers in this data?
2.  Which are the top 10 most used operating systems?

In order to accomplish this task, do the following:
1.  Write a function which takes a User Agent string as an argument and returns the relevant data.  HINT:  You might want to use python's `user_agents` module, the documentation for which is available here: (https://pypi.python.org/pypi/user-agents)
2.  Next, apply this function to the column which contains the user agent string.
3.  Store this series as a new column in the dataframe
4.  Count the occurances of each value in the new columns

In [9]:
#Read in the log file
line_parser = apache_log_parser.make_parser("%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"")

server_log = open(DATA_HOME + "hackers-access.httpd", "r")
parsed_server_data = []
for line in server_log:
    data = {}
    data = line_parser(line)
    parsed_server_data.append( data )

server_df = pd.DataFrame( parsed_server_data  )

In [10]:
server_df.head()

Unnamed: 0,remote_host,remote_logname,remote_user,time_received,time_received_datetimeobj,time_received_isoformat,time_received_tz_datetimeobj,time_received_tz_isoformat,time_received_utc_datetimeobj,time_received_utc_isoformat,...,request_url_password,request_url_hostname,request_url_port,request_url_query_dict,request_url_query_list,request_url_query_simple_dict,status,response_bytes_clf,request_header_referer,request_header_user_agent
0,195.154.46.135,-,-,[25/Oct/2015:04:11:25 +0100],2015-10-25 04:11:25,2015-10-25T04:11:25,2015-10-25 04:11:25+01:00,2015-10-25T04:11:25+01:00,2015-10-25 03:11:25+00:00,2015-10-25T03:11:25+00:00,...,,,,{},[],{},200,24323,http://howto.basjes.nl/,Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20...
1,23.95.237.180,-,-,[25/Oct/2015:04:11:26 +0100],2015-10-25 04:11:26,2015-10-25T04:11:26,2015-10-25 04:11:26+01:00,2015-10-25T04:11:26+01:00,2015-10-25 03:11:26+00:00,2015-10-25T03:11:26+00:00,...,,,,{},[],{},200,11114,http://howto.basjes.nl/,Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20...
2,23.95.237.180,-,-,[25/Oct/2015:04:11:27 +0100],2015-10-25 04:11:27,2015-10-25T04:11:27,2015-10-25 04:11:27+01:00,2015-10-25T04:11:27+01:00,2015-10-25 03:11:27+00:00,2015-10-25T03:11:27+00:00,...,,,,{},[],{},302,9093,http://howto.basjes.nl/join_form,Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20...
3,158.222.5.157,-,-,[25/Oct/2015:04:24:31 +0100],2015-10-25 04:24:31,2015-10-25T04:24:31,2015-10-25 04:24:31+01:00,2015-10-25T04:24:31+01:00,2015-10-25 03:24:31+00:00,2015-10-25T03:24:31+00:00,...,,,,{},[],{},200,11114,http://howto.basjes.nl/,Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) G...
4,158.222.5.157,-,-,[25/Oct/2015:04:24:32 +0100],2015-10-25 04:24:32,2015-10-25T04:24:32,2015-10-25 04:24:32+01:00,2015-10-25T04:24:32+01:00,2015-10-25 03:24:32+00:00,2015-10-25T03:24:32+00:00,...,,,,{},[],{},302,9093,http://howto.basjes.nl/join_form,Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) G...


In [11]:
#Write the functions
def get_os(x):
    user_agent = parse(x)
    return user_agent.os.family

def get_browser(x):
    user_agent = parse(x)
    return user_agent.browser.family

In [12]:
#Apply the functions to the dataframe
server_df['os'] = server_df['request_header_user_agent'].apply( get_os )
server_df['browser'] = server_df['request_header_user_agent'].apply( get_browser )

In [13]:
#Get the top 10 values
server_df['os'].value_counts().head(10)

Windows      3185
Linux         125
Mac OS X       80
Chrome OS      60
Ubuntu          6
Name: os, dtype: int64

In [14]:
server_df['browser'].value_counts().head(10)

Firefox    1476
Chrome      789
Opera       556
Dragon      533
IE           78
Safari       24
Name: browser, dtype: int64

## Exercise 3: Putting it all Together: Which industry sees the most Ramnit infections? Least?
First you're going to want to create a data frame from the `dailybots.csv` file which can be found in the `data` directory.  You should be able to do this with the `pd.read_csv()` function.  Take a minute to look at the dataframe because we are going to be using it for this entire worksheet.

Once you've done that, count the number of infected days for "Ramnit" in each industry industry. 
How: 
1.  First filter the data to remove all the infections we don't care about
2.  Aggregate the data on the column of interest. HINT:  You might want to use the `groupby()` function
3.  Add up the results 

In [15]:
DATA_HOME = '../data/'
data = pd.read_csv( DATA_HOME + 'dailybots.csv' )
#Look at a summary of the data
data.describe()

Unnamed: 0,hosts,orgs
count,4969.0,4969.0
mean,142.30811,15.31133
std,240.955294,21.1515
min,1.0,1.0
25%,10.0,3.0
50%,38.0,7.0
75%,187.0,16.0
max,2031.0,122.0


In [16]:
grouped_df = data[data.botfam == "Ramnit"].groupby(['industry'])
grouped_df.sum()

Unnamed: 0_level_0,hosts,orgs
industry,Unnamed: 1_level_1,Unnamed: 2_level_1
Education,7492,3949
Finance,2281,1357
Government/Politics,4484,448
Healthcare/Wellness,544,473
Manufacturing,46303,1155
Retail,17649,558
