├── LICENSE
├── README.md
├── Tatsuya_Hasegawa_msticpy_SANS_APAC_DFIR_SUMMIT_2023.pdf
├── analysis_outliers
    ├── README.md
    └── outliers_multi_dimension_PR.ipynb
├── analysis_rrcf_outliers
    ├── msticpy-if_outliers.ipynb
    └── msticpy-rrcf_outliers.ipynb
├── data
    └── buttercupgame_iplocation.csv
├── msticpy_light_tutorial.ipynb
├── qp_splunk_poc_bugfix
    ├── msticpy_qp_splunk.ipynb
    ├── msticpy_splunk_9_0_4_reader_bug.ipynb
    ├── msticpy_splunk_9_0_4_reader_merged.ipynb
    ├── msticpy_splunk_reader_bug.ipynb
    └── msticpy_splunk_reader_paging-test.csv
├── splunk_dsdl
    ├── README.md
    └── msticpy_powershell_ioc.ipynb
└── timeseries_anomalies_stl
    └── msticpy_timeseries_anomalies_stl.ipynb


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2023 hackeT
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # MSTICPy_utils
 2 | 
 3 | - Mainly my MSTICpy practice repository.
 4 | - Jupyter notebook files with useful msticpy execution's how-to history.
 5 | 
 6 | | File or Directory  | Short Desc |
 7 | | ------------- | ------------- |
 8 | | [msticpy_light_tutorial.ipynb](https://github.com/Tatsuya-hasegawa/MSTICPy_utils/blob/main/msticpy_light_tutorial.ipynb)  | Tutorial to use msticpy along 'Quick Start Overview' |
 9 | | [timeseries_anomalies_stl](https://github.com/Tatsuya-hasegawa/MSTICPy_utils/blob/main/timeseries_anomalies_stl)  | Practice of timeseries_anomalies_stl function |
10 | | [splunk_dsdl](https://github.com/Tatsuya-hasegawa/MSTICPy_utils/blob/main/splunk_dsdl)  | msticpy joint to Splunk DSDL example for powershell base64 hunting refered by my DFIR Summit PDF  |
11 | | [qp_splunk_poc_bugfix](https://github.com/Tatsuya-hasegawa/MSTICPy_utils/blob/main/qp_splunk_poc_bugfix) | PoC notebooks and test csv of my [PR#657](https://github.com/microsoft/msticpy/pull/657) to msticpy  |
12 | | [analysis_outliers](https://github.com/Tatsuya-hasegawa/MSTICPy_utils/blob/main/analysis_outliers) | PoC notebooks of my [PR#805](https://github.com/microsoft/msticpy/pull/805) to msticpy  |
13 | | [analysis_rrcf_outliers](https://github.com/Tatsuya-hasegawa/MSTICPy_utils/blob/main/analysis_rrcf_outliers) | PoC notebooks of my [PR#846](https://github.com/microsoft/msticpy/pull/846) to msticpy, comparing IsolationForest and RobustRandomCutForest with same dataset |
14 | | [data](https://github.com/Tatsuya-hasegawa/MSTICPy_utils/blob/main/data)  | sample data directory to be utilized by this repository's some notebook files |
15 | 
16 | ### Presentation on SANS APAC DFIR Summit 2023 
17 | 
18 | [Practical msticpy use ~ rainbow bridge to SIEM for advanced threat hunting ~](https://github.com/Tatsuya-hasegawa/MSTICPy_utils/blob/d3b5e589ab4de714b430a5274a3378bde21a3aaf/Tatsuya_Hasegawa_msticpy_SANS_APAC_DFIR_SUMMIT_2023.pdf)
19 | 
20 | 
21 | 


--------------------------------------------------------------------------------
/Tatsuya_Hasegawa_msticpy_SANS_APAC_DFIR_SUMMIT_2023.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Tatsuya-hasegawa/MSTICPy_utils/c37a4fa3aeb1361f2ae07fb348139ae92b5de0b6/Tatsuya_Hasegawa_msticpy_SANS_APAC_DFIR_SUMMIT_2023.pdf


--------------------------------------------------------------------------------
/analysis_outliers/README.md:
--------------------------------------------------------------------------------
1 | TBD
2 | 


--------------------------------------------------------------------------------
/qp_splunk_poc_bugfix/msticpy_qp_splunk.ipynb:
--------------------------------------------------------------------------------
  1 | {
  2 |  "cells": [
  3 |   {
  4 |    "attachments": {},
  5 |    "cell_type": "markdown",
  6 |    "metadata": {},
  7 |    "source": [
  8 |     "# PoC: SplunkGeneral.get_events_parameterized function will fetch all the Splunk records\n",
  9 |     "\n",
 10 |     "with my PR code https://github.com/microsoft/msticpy/pull/657\n",
 11 |     "\n",
 12 |     "\n",
 13 |     "Reference Splunk SDK python:\n",
 14 |     "- https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtodisplaysearchpython/#To-paginate-through-a-large-set-of-results\n",
 15 |     "- https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtorunsearchespython/\n",
 16 |     "\n",
 17 |     "- https://docs.splunk.com/DocumentationStatic/PythonSDK/1.7.2/client.html\n",
 18 |     "- https://docs.splunk.com/DocumentationStatic/PythonSDK/1.7.2/results.html\n",
 19 |     "\n"
 20 |    ]
 21 |   },
 22 |   {
 23 |    "cell_type": "code",
 24 |    "execution_count": 1,
 25 |    "metadata": {},
 26 |    "outputs": [
 27 |     {
 28 |      "name": "stderr",
 29 |      "output_type": "stream",
 30 |      "text": [
 31 |       "2023-04-18 13:40:04,642: WARNING - config validation error Missing or empty 'AzureSentinel' section (nbinit#697)\n",
 32 |       "2023-04-18 13:40:04,643: WARNING - Could not find msticpyconfig.yaml in standard search. (nbinit#710)\n"
 33 |      ]
 34 |     },
 35 |     {
 36 |      "data": {
 37 |       "text/html": [
 38 |        "<p style=''><font color='orange'><h3>Notebook setup completed with some warnings.</h3></p>"
 39 |       ],
 40 |       "text/plain": [
 41 |        "<IPython.core.display.HTML object>"
 42 |       ]
 43 |      },
 44 |      "metadata": {},
 45 |      "output_type": "display_data"
 46 |     },
 47 |     {
 48 |      "data": {
 49 |       "text/html": [
 50 |        "<p style=''>One or more configuration items were missing or set incorrectly.</p>"
 51 |       ],
 52 |       "text/plain": [
 53 |        "<IPython.core.display.HTML object>"
 54 |       ]
 55 |      },
 56 |      "metadata": {},
 57 |      "output_type": "display_data"
 58 |     },
 59 |     {
 60 |      "data": {
 61 |       "text/html": [
 62 |        "<p style=''>Please run the <i>Getting Started Guide for Azure Sentinel ML Notebooks</i> notebook. and the <a href='https://msticpy.readthedocs.io/en/latest/getting_started/msticpyconfig.html'>msticpy configuration guide</a>.</p>"
 63 |       ],
 64 |       "text/plain": [
 65 |        "<IPython.core.display.HTML object>"
 66 |       ]
 67 |      },
 68 |      "metadata": {},
 69 |      "output_type": "display_data"
 70 |     },
 71 |     {
 72 |      "data": {
 73 |       "text/html": [
 74 |        "<p style=''>This notebook may still run but with reduced functionality.</p>"
 75 |       ],
 76 |       "text/plain": [
 77 |        "<IPython.core.display.HTML object>"
 78 |       ]
 79 |      },
 80 |      "metadata": {},
 81 |      "output_type": "display_data"
 82 |     }
 83 |    ],
 84 |    "source": [
 85 |     "import msticpy as mp\n",
 86 |     "mp.init_notebook()"
 87 |    ]
 88 |   },
 89 |   {
 90 |    "cell_type": "code",
 91 |    "execution_count": 2,
 92 |    "metadata": {},
 93 |    "outputs": [
 94 |     {
 95 |      "name": "stdout",
 96 |      "output_type": "stream",
 97 |      "text": [
 98 |       "connected\n"
 99 |      ]
100 |     }
101 |    ],
102 |    "source": [
103 |     "splunk_prov = mp.QueryProvider(\"Splunk\")\n",
104 |     "splunk_prov.connect()"
105 |    ]
106 |   },
107 |   {
108 |    "cell_type": "code",
109 |    "execution_count": 3,
110 |    "metadata": {},
111 |    "outputs": [
112 |     {
113 |      "name": "stdout",
114 |      "output_type": "stream",
115 |      "text": [
116 |       "Query:  get_events_parameterized\n",
117 |       "Data source:  Splunk\n",
118 |       "Generic parameterized query from index/source\n",
119 |       "\n",
120 |       "Parameters\n",
121 |       "----------\n",
122 |       "add_query_items: str (optional)\n",
123 |       "    Additional query clauses\n",
124 |       "    (default value is: | head 100)\n",
125 |       "end: datetime\n",
126 |       "    Query end time\n",
127 |       "index: str (optional)\n",
128 |       "    Splunk index name\n",
129 |       "    (default value is: *)\n",
130 |       "project_fields: str (optional)\n",
131 |       "    Project Field names\n",
132 |       "    (default value is: | table TimeCreated, host, EventID, EventDescripti...)\n",
133 |       "source: str (optional)\n",
134 |       "    Splunk source type\n",
135 |       "    (default value is: *)\n",
136 |       "start: datetime\n",
137 |       "    Query start time\n",
138 |       "timeformat: str (optional)\n",
139 |       "    Datetime format to use in Splunk query\n",
140 |       "    (default value is: \"%Y-%m-%d %H:%M:%S.%6N\")\n",
141 |       "Query:\n",
142 |       " search index={index} source={source} timeformat={timeformat} earliest={start} latest={end} {project_fields} {add_query_items}\n"
143 |      ]
144 |     }
145 |    ],
146 |    "source": [
147 |     "splunk_prov.SplunkGeneral.get_events_parameterized('?')"
148 |    ]
149 |   },
150 |   {
151 |    "attachments": {},
152 |    "cell_type": "markdown",
153 |    "metadata": {},
154 |    "source": [
155 |     "## Test with botsv2 data"
156 |    ]
157 |   },
158 |   {
159 |    "cell_type": "code",
160 |    "execution_count": 3,
161 |    "metadata": {},
162 |    "outputs": [
163 |     {
164 |      "data": {
165 |       "text/plain": [
166 |        "' search index=botsv2 source=WinEventLog:Microsoft-Windows-Sysmon/Operational timeformat=\"%Y-%m-%d %H:%M:%S\" earliest=\"2017-08-25 00:00:00\" latest=\"2017-08-25 10:00:00\" | table TimeCreated, host, EventID, EventDescription, User, process, cmdline, Image, parent_process, ParentCommandLine, dest, Hashes | head 100'"
167 |       ]
168 |      },
169 |      "execution_count": 3,
170 |      "metadata": {},
171 |      "output_type": "execute_result"
172 |     }
173 |    ],
174 |    "source": [
175 |     "splunk_prov.SplunkGeneral.get_events_parameterized('print',\n",
176 |     "    index=\"botsv2\",\n",
177 |     "    source=\"WinEventLog:Microsoft-Windows-Sysmon/Operational\",\n",
178 |     "    timeformat='\"%Y-%m-%d %H:%M:%S\"',\n",
179 |     "    start=\"2017-08-25 00:00:00\",\n",
180 |     "    end=\"2017-08-25 10:00:00\"\n",
181 |     ")"
182 |    ]
183 |   },
184 |   {
185 |    "cell_type": "code",
186 |    "execution_count": 4,
187 |    "metadata": {},
188 |    "outputs": [
189 |     {
190 |      "name": "stderr",
191 |      "output_type": "stream",
192 |      "text": [
193 |       "Waiting Splunk job to complete: 200.0it [00:03, 60.67it/s]                          "
194 |      ]
195 |     },
196 |     {
197 |      "name": "stdout",
198 |      "output_type": "stream",
199 |      "text": [
200 |       "100.0%   11268 scanned   11268 matched   100 results\n",
201 |       "Splunk job has Done!\n"
202 |      ]
203 |     },
204 |     {
205 |      "name": "stderr",
206 |      "output_type": "stream",
207 |      "text": [
208 |       "\n"
209 |      ]
210 |     },
211 |     {
212 |      "name": "stdout",
213 |      "output_type": "stream",
214 |      "text": [
215 |       "Implicit parameter dump - 'paginate_width': 100 ,which means 100 records will be retrieved per one fetch.\n",
216 |       "  You can set paginate_width=<integer> to this function's option.\n"
217 |      ]
218 |     },
219 |     {
220 |      "name": "stderr",
221 |      "output_type": "stream",
222 |      "text": [
223 |       "Waiting Splunk result to retrieve: 200it [00:00, 17219.06it/s]            "
224 |      ]
225 |     },
226 |     {
227 |      "name": "stdout",
228 |      "output_type": "stream",
229 |      "text": [
230 |       "Retrieved 100 results.\n"
231 |      ]
232 |     },
233 |     {
234 |      "name": "stderr",
235 |      "output_type": "stream",
236 |      "text": [
237 |       "\n"
238 |      ]
239 |     },
240 |     {
241 |      "data": {
242 |       "text/plain": [
243 |        "100"
244 |       ]
245 |      },
246 |      "execution_count": 4,
247 |      "metadata": {},
248 |      "output_type": "execute_result"
249 |     }
250 |    ],
251 |    "source": [
252 |     "default_df = splunk_prov.SplunkGeneral.get_events_parameterized(\n",
253 |     "    index=\"botsv2\",\n",
254 |     "    source=\"WinEventLog:Microsoft-Windows-Sysmon/Operational\",\n",
255 |     "    start=\"2017-08-25 00:00:00.000000\",\n",
256 |     "    end=\"2017-08-25 10:00:00.000000\"\n",
257 |     ")\n",
258 |     "len(default_df) # 100 because of add_query_items = '| head 100' by default"
259 |    ]
260 |   },
261 |   {
262 |    "attachments": {},
263 |    "cell_type": "markdown",
264 |    "metadata": {},
265 |    "source": [
266 |     "### fetch unlimited records "
267 |    ]
268 |   },
269 |   {
270 |    "cell_type": "code",
271 |    "execution_count": 10,
272 |    "metadata": {},
273 |    "outputs": [
274 |     {
275 |      "data": {
276 |       "text/plain": [
277 |        "' search index=botsv2 source=WinEventLog:Microsoft-Windows-Sysmon/Operational timeformat=\"%Y-%m-%d %H:%M:%S.%6N\" earliest=\"2017-08-25 00:00:00\" latest=\"2017-08-25 10:00:00\" | table TimeCreated, host, EventID, EventDescription, User, process, cmdline, Image, parent_process, ParentCommandLine, dest, Hashes '"
278 |       ]
279 |      },
280 |      "execution_count": 10,
281 |      "metadata": {},
282 |      "output_type": "execute_result"
283 |     }
284 |    ],
285 |    "source": [
286 |     "splunk_prov.SplunkGeneral.get_events_parameterized('print',\n",
287 |     "    index=\"botsv2\",\n",
288 |     "    source=\"WinEventLog:Microsoft-Windows-Sysmon/Operational\",\n",
289 |     "    start=\"2017-08-25 00:00:00.000000\",\n",
290 |     "    end=\"2017-08-25 10:00:00.000000\",\n",
291 |     "    add_query_items=''\n",
292 |     ")"
293 |    ]
294 |   },
295 |   {
296 |    "cell_type": "code",
297 |    "execution_count": 12,
298 |    "metadata": {},
299 |    "outputs": [
300 |     {
301 |      "name": "stderr",
302 |      "output_type": "stream",
303 |      "text": [
304 |       "Waiting Splunk job to complete: 200.0it [00:03, 60.83it/s]                          "
305 |      ]
306 |     },
307 |     {
308 |      "name": "stdout",
309 |      "output_type": "stream",
310 |      "text": [
311 |       "100.0%   11268 scanned   11268 matched   11268 results\n",
312 |       "Splunk job has Done!\n"
313 |      ]
314 |     },
315 |     {
316 |      "name": "stderr",
317 |      "output_type": "stream",
318 |      "text": [
319 |       "\n"
320 |      ]
321 |     },
322 |     {
323 |      "name": "stdout",
324 |      "output_type": "stream",
325 |      "text": [
326 |       "Implicit parameter dump - 'paginate_width': 100 ,which means 100 records will be retrieved per one fetch.\n",
327 |       "  You can set paginate_width=<integer> to this function's option.\n"
328 |      ]
329 |     },
330 |     {
331 |      "name": "stderr",
332 |      "output_type": "stream",
333 |      "text": [
334 |       "Waiting Splunk result to retrieve: 22568it [00:01, 16391.93it/s]                          "
335 |      ]
336 |     },
337 |     {
338 |      "name": "stdout",
339 |      "output_type": "stream",
340 |      "text": [
341 |       "Retrieved 11268 results.\n"
342 |      ]
343 |     },
344 |     {
345 |      "name": "stderr",
346 |      "output_type": "stream",
347 |      "text": [
348 |       "\n"
349 |      ]
350 |     }
351 |    ],
352 |    "source": [
353 |     "result_df = splunk_prov.SplunkGeneral.get_events_parameterized(\n",
354 |     "    index=\"botsv2\",\n",
355 |     "    source=\"WinEventLog:Microsoft-Windows-Sysmon/Operational\",\n",
356 |     "    start=\"2017-08-25 00:00:00.000000\",\n",
357 |     "    end=\"2017-08-25 10:00:00.000000\",\n",
358 |     "    add_query_items='',\n",
359 |     "    count=0\n",
360 |     ")"
361 |    ]
362 |   },
363 |   {
364 |    "cell_type": "code",
365 |    "execution_count": 13,
366 |    "metadata": {},
367 |    "outputs": [
368 |     {
369 |      "data": {
370 |       "text/plain": [
371 |        "11268"
372 |       ]
373 |      },
374 |      "execution_count": 13,
375 |      "metadata": {},
376 |      "output_type": "execute_result"
377 |     }
378 |    ],
379 |    "source": [
380 |     "len(result_df)"
381 |    ]
382 |   },
383 |   {
384 |    "attachments": {},
385 |    "cell_type": "markdown",
386 |    "metadata": {},
387 |    "source": [
388 |     "## Test with original csv \"msticpy_splunk_reader_paging-test.csv\""
389 |    ]
390 |   },
391 |   {
392 |    "cell_type": "code",
393 |    "execution_count": 14,
394 |    "metadata": {},
395 |    "outputs": [
396 |     {
397 |      "name": "stderr",
398 |      "output_type": "stream",
399 |      "text": [
400 |       "Waiting Splunk job to complete: 200.0it [00:03, 60.31it/s]                         "
401 |      ]
402 |     },
403 |     {
404 |      "name": "stdout",
405 |      "output_type": "stream",
406 |      "text": [
407 |       "100.0%   100000 scanned   100000 matched   100000 results\n",
408 |       "Splunk job has Done!\n"
409 |      ]
410 |     },
411 |     {
412 |      "name": "stderr",
413 |      "output_type": "stream",
414 |      "text": [
415 |       "\n"
416 |      ]
417 |     },
418 |     {
419 |      "name": "stdout",
420 |      "output_type": "stream",
421 |      "text": [
422 |       "Implicit parameter dump - 'paginate_width': 100 ,which means 100 records will be retrieved per one fetch.\n",
423 |       "  You can set paginate_width=<integer> to this function's option.\n"
424 |      ]
425 |     },
426 |     {
427 |      "name": "stderr",
428 |      "output_type": "stream",
429 |      "text": [
430 |       "Waiting Splunk result to retrieve: 200000it [00:39, 5096.06it/s]                           \n"
431 |      ]
432 |     },
433 |     {
434 |      "name": "stdout",
435 |      "output_type": "stream",
436 |      "text": [
437 |       "Retrieved 100000 results.\n"
438 |      ]
439 |     }
440 |    ],
441 |    "source": [
442 |     "# paginate_width = 100 by default\n",
443 |     "result_df = splunk_prov.SplunkGeneral.get_events_parameterized(\n",
444 |     "    index=\"msticpy\",\n",
445 |     "    source=\"msticpy_splunk_reader_paging-test.csv\",\n",
446 |     "    project_fields=\"| table timestamp,rownum, desc, uuid4, host\",\n",
447 |     "    add_query_items='',\n",
448 |     "    count=0\n",
449 |     ")\n",
450 |     "result_df['timestamp'] = result_df['timestamp'].astype('float')\n",
451 |     "result_df['rownum'] = result_df['rownum'].astype('int')"
452 |    ]
453 |   },
454 |   {
455 |    "cell_type": "code",
456 |    "execution_count": 15,
457 |    "metadata": {},
458 |    "outputs": [
459 |     {
460 |      "data": {
461 |       "text/plain": [
462 |        "100000"
463 |       ]
464 |      },
465 |      "execution_count": 15,
466 |      "metadata": {},
467 |      "output_type": "execute_result"
468 |     }
469 |    ],
470 |    "source": [
471 |     "len(result_df)"
472 |    ]
473 |   },
474 |   {
475 |    "cell_type": "code",
476 |    "execution_count": 16,
477 |    "metadata": {},
478 |    "outputs": [
479 |     {
480 |      "data": {
481 |       "text/plain": [
482 |        "array([     1,      2,      3, ...,  99998,  99999, 100000])"
483 |       ]
484 |      },
485 |      "execution_count": 16,
486 |      "metadata": {},
487 |      "output_type": "execute_result"
488 |     }
489 |    ],
490 |    "source": [
491 |     "sort_df = result_df.sort_values('rownum')\n",
492 |     "sort_df['rownum'].to_numpy()"
493 |    ]
494 |   },
495 |   {
496 |    "cell_type": "code",
497 |    "execution_count": 17,
498 |    "metadata": {},
499 |    "outputs": [
500 |     {
501 |      "data": {
502 |       "text/html": [
503 |        "<div>\n",
504 |        "<style scoped>\n",
505 |        "    .dataframe tbody tr th:only-of-type {\n",
506 |        "        vertical-align: middle;\n",
507 |        "    }\n",
508 |        "\n",
509 |        "    .dataframe tbody tr th {\n",
510 |        "        vertical-align: top;\n",
511 |        "    }\n",
512 |        "\n",
513 |        "    .dataframe thead th {\n",
514 |        "        text-align: right;\n",
515 |        "    }\n",
516 |        "</style>\n",
517 |        "<table border=\"1\" class=\"dataframe\">\n",
518 |        "  <thead>\n",
519 |        "    <tr style=\"text-align: right;\">\n",
520 |        "      <th></th>\n",
521 |        "      <th>timestamp</th>\n",
522 |        "      <th>rownum</th>\n",
523 |        "      <th>desc</th>\n",
524 |        "      <th>uuid4</th>\n",
525 |        "      <th>host</th>\n",
526 |        "    </tr>\n",
527 |        "  </thead>\n",
528 |        "  <tbody>\n",
529 |        "    <tr>\n",
530 |        "      <th>91428</th>\n",
531 |        "      <td>1.681780e+09</td>\n",
532 |        "      <td>1</td>\n",
533 |        "      <td>testing_rownum1</td>\n",
534 |        "      <td>7230ab65-7622-4aea-8f89-e0cf94028e80</td>\n",
535 |        "      <td>hackeTlab.local</td>\n",
536 |        "    </tr>\n",
537 |        "    <tr>\n",
538 |        "      <th>91427</th>\n",
539 |        "      <td>1.681780e+09</td>\n",
540 |        "      <td>2</td>\n",
541 |        "      <td>testing_rownum2</td>\n",
542 |        "      <td>0673a921-400f-4f74-9955-2ebe3aa6b568</td>\n",
543 |        "      <td>hackeTlab.local</td>\n",
544 |        "    </tr>\n",
545 |        "    <tr>\n",
546 |        "      <th>91426</th>\n",
547 |        "      <td>1.681780e+09</td>\n",
548 |        "      <td>3</td>\n",
549 |        "      <td>testing_rownum3</td>\n",
550 |        "      <td>1b7d33b8-797f-4b19-978e-89d126d1736d</td>\n",
551 |        "      <td>hackeTlab.local</td>\n",
552 |        "    </tr>\n",
553 |        "    <tr>\n",
554 |        "      <th>91425</th>\n",
555 |        "      <td>1.681780e+09</td>\n",
556 |        "      <td>4</td>\n",
557 |        "      <td>testing_rownum4</td>\n",
558 |        "      <td>9b513862-7cb3-436b-b9b0-cee880d4c19b</td>\n",
559 |        "      <td>hackeTlab.local</td>\n",
560 |        "    </tr>\n",
561 |        "    <tr>\n",
562 |        "      <th>91424</th>\n",
563 |        "      <td>1.681780e+09</td>\n",
564 |        "      <td>5</td>\n",
565 |        "      <td>testing_rownum5</td>\n",
566 |        "      <td>96feff47-29db-4d78-a221-f96df595200f</td>\n",
567 |        "      <td>hackeTlab.local</td>\n",
568 |        "    </tr>\n",
569 |        "    <tr>\n",
570 |        "      <th>...</th>\n",
571 |        "      <td>...</td>\n",
572 |        "      <td>...</td>\n",
573 |        "      <td>...</td>\n",
574 |        "      <td>...</td>\n",
575 |        "      <td>...</td>\n",
576 |        "    </tr>\n",
577 |        "    <tr>\n",
578 |        "      <th>9912</th>\n",
579 |        "      <td>1.681780e+09</td>\n",
580 |        "      <td>99996</td>\n",
581 |        "      <td>testing_rownum99996</td>\n",
582 |        "      <td>b051d150-b26d-4149-bd28-70f800229ede</td>\n",
583 |        "      <td>hackeTlab.local</td>\n",
584 |        "    </tr>\n",
585 |        "    <tr>\n",
586 |        "      <th>9911</th>\n",
587 |        "      <td>1.681780e+09</td>\n",
588 |        "      <td>99997</td>\n",
589 |        "      <td>testing_rownum99997</td>\n",
590 |        "      <td>a2192da0-8262-43fb-9301-bd4780a9b499</td>\n",
591 |        "      <td>hackeTlab.local</td>\n",
592 |        "    </tr>\n",
593 |        "    <tr>\n",
594 |        "      <th>9910</th>\n",
595 |        "      <td>1.681780e+09</td>\n",
596 |        "      <td>99998</td>\n",
597 |        "      <td>testing_rownum99998</td>\n",
598 |        "      <td>57cd4cf6-b5e8-41dc-815e-870092c54caa</td>\n",
599 |        "      <td>hackeTlab.local</td>\n",
600 |        "    </tr>\n",
601 |        "    <tr>\n",
602 |        "      <th>9909</th>\n",
603 |        "      <td>1.681780e+09</td>\n",
604 |        "      <td>99999</td>\n",
605 |        "      <td>testing_rownum99999</td>\n",
606 |        "      <td>a3a13916-89b8-4922-967e-ab680131ff39</td>\n",
607 |        "      <td>hackeTlab.local</td>\n",
608 |        "    </tr>\n",
609 |        "    <tr>\n",
610 |        "      <th>12499</th>\n",
611 |        "      <td>1.681780e+09</td>\n",
612 |        "      <td>100000</td>\n",
613 |        "      <td>testing_rownum100000</td>\n",
614 |        "      <td>9ac20835-91d1-42f5-8e43-6289ea79fc17</td>\n",
615 |        "      <td>hackeTlab.local</td>\n",
616 |        "    </tr>\n",
617 |        "  </tbody>\n",
618 |        "</table>\n",
619 |        "<p>100000 rows × 5 columns</p>\n",
620 |        "</div>"
621 |       ],
622 |       "text/plain": [
623 |        "          timestamp  rownum                  desc  \\\n",
624 |        "91428  1.681780e+09       1       testing_rownum1   \n",
625 |        "91427  1.681780e+09       2       testing_rownum2   \n",
626 |        "91426  1.681780e+09       3       testing_rownum3   \n",
627 |        "91425  1.681780e+09       4       testing_rownum4   \n",
628 |        "91424  1.681780e+09       5       testing_rownum5   \n",
629 |        "...             ...     ...                   ...   \n",
630 |        "9912   1.681780e+09   99996   testing_rownum99996   \n",
631 |        "9911   1.681780e+09   99997   testing_rownum99997   \n",
632 |        "9910   1.681780e+09   99998   testing_rownum99998   \n",
633 |        "9909   1.681780e+09   99999   testing_rownum99999   \n",
634 |        "12499  1.681780e+09  100000  testing_rownum100000   \n",
635 |        "\n",
636 |        "                                      uuid4             host  \n",
637 |        "91428  7230ab65-7622-4aea-8f89-e0cf94028e80  hackeTlab.local  \n",
638 |        "91427  0673a921-400f-4f74-9955-2ebe3aa6b568  hackeTlab.local  \n",
639 |        "91426  1b7d33b8-797f-4b19-978e-89d126d1736d  hackeTlab.local  \n",
640 |        "91425  9b513862-7cb3-436b-b9b0-cee880d4c19b  hackeTlab.local  \n",
641 |        "91424  96feff47-29db-4d78-a221-f96df595200f  hackeTlab.local  \n",
642 |        "...                                     ...              ...  \n",
643 |        "9912   b051d150-b26d-4149-bd28-70f800229ede  hackeTlab.local  \n",
644 |        "9911   a2192da0-8262-43fb-9301-bd4780a9b499  hackeTlab.local  \n",
645 |        "9910   57cd4cf6-b5e8-41dc-815e-870092c54caa  hackeTlab.local  \n",
646 |        "9909   a3a13916-89b8-4922-967e-ab680131ff39  hackeTlab.local  \n",
647 |        "12499  9ac20835-91d1-42f5-8e43-6289ea79fc17  hackeTlab.local  \n",
648 |        "\n",
649 |        "[100000 rows x 5 columns]"
650 |       ]
651 |      },
652 |      "execution_count": 17,
653 |      "metadata": {},
654 |      "output_type": "execute_result"
655 |     }
656 |    ],
657 |    "source": [
658 |     "sort_df"
659 |    ]
660 |   },
661 |   {
662 |    "attachments": {},
663 |    "cell_type": "markdown",
664 |    "metadata": {},
665 |    "source": [
666 |     "OK, Fine.\n",
667 |     "\n",
668 |     "\n",
669 |     "Next is test with paginate_width = 10000"
670 |    ]
671 |   },
672 |   {
673 |    "cell_type": "code",
674 |    "execution_count": 18,
675 |    "metadata": {},
676 |    "outputs": [
677 |     {
678 |      "name": "stderr",
679 |      "output_type": "stream",
680 |      "text": [
681 |       "Waiting Splunk job to complete: 200.0it [00:03, 60.55it/s]                         "
682 |      ]
683 |     },
684 |     {
685 |      "name": "stdout",
686 |      "output_type": "stream",
687 |      "text": [
688 |       "100.0%   100000 scanned   100000 matched   100000 results\n",
689 |       "Splunk job has Done!\n"
690 |      ]
691 |     },
692 |     {
693 |      "name": "stderr",
694 |      "output_type": "stream",
695 |      "text": [
696 |       "\n"
697 |      ]
698 |     },
699 |     {
700 |      "name": "stdout",
701 |      "output_type": "stream",
702 |      "text": [
703 |       "Implicit parameter dump - 'paginate_width': 10000 ,which means 10000 records will be retrieved per one fetch.\n",
704 |       "  You can set paginate_width=<integer> to this function's option.\n"
705 |      ]
706 |     },
707 |     {
708 |      "name": "stderr",
709 |      "output_type": "stream",
710 |      "text": [
711 |       "Waiting Splunk result to retrieve: 200000it [00:00, 227110.13it/s]                            "
712 |      ]
713 |     },
714 |     {
715 |      "name": "stdout",
716 |      "output_type": "stream",
717 |      "text": [
718 |       "Retrieved 100000 results.\n"
719 |      ]
720 |     },
721 |     {
722 |      "name": "stderr",
723 |      "output_type": "stream",
724 |      "text": [
725 |       "\n"
726 |      ]
727 |     }
728 |    ],
729 |    "source": [
730 |     "# paginate_width = 10000 set to the option\n",
731 |     "result_df2 = splunk_prov.SplunkGeneral.get_events_parameterized(\n",
732 |     "    index=\"msticpy\",\n",
733 |     "    source=\"msticpy_splunk_reader_paging-test.csv\",\n",
734 |     "    project_fields=\"| table timestamp,rownum, desc, uuid4, host\",\n",
735 |     "    add_query_items='',\n",
736 |     "    count=0,\n",
737 |     "    paginate_width=10000,\n",
738 |     ")\n",
739 |     "result_df2['timestamp'] = result_df2['timestamp'].astype('float')\n",
740 |     "result_df2['rownum'] = result_df2['rownum'].astype('int')"
741 |    ]
742 |   },
743 |   {
744 |    "cell_type": "code",
745 |    "execution_count": 19,
746 |    "metadata": {},
747 |    "outputs": [
748 |     {
749 |      "data": {
750 |       "text/plain": [
751 |        "100000"
752 |       ]
753 |      },
754 |      "execution_count": 19,
755 |      "metadata": {},
756 |      "output_type": "execute_result"
757 |     }
758 |    ],
759 |    "source": [
760 |     "len(result_df2)"
761 |    ]
762 |   },
763 |   {
764 |    "attachments": {},
765 |    "cell_type": "markdown",
766 |    "metadata": {},
767 |    "source": [
768 |     "### Test with oneshot mode \n",
769 |     "\n"
770 |    ]
771 |   },
772 |   {
773 |    "cell_type": "code",
774 |    "execution_count": 20,
775 |    "metadata": {},
776 |    "outputs": [],
777 |    "source": [
778 |     "result_df_oneshot = splunk_prov.SplunkGeneral.get_events_parameterized(\n",
779 |     "    index=\"msticpy\",\n",
780 |     "    source=\"msticpy_splunk_reader_paging-test.csv\",\n",
781 |     "    project_fields=\"| table timestamp,rownum, desc, uuid4, host\",\n",
782 |     "    add_query_items='',\n",
783 |     "    oneshot=True,\n",
784 |     "    count=0,\n",
785 |     ")\n",
786 |     "result_df_oneshot['timestamp'] = result_df_oneshot['timestamp'].astype('float')\n",
787 |     "result_df_oneshot['rownum'] = result_df_oneshot['rownum'].astype('int')"
788 |    ]
789 |   },
790 |   {
791 |    "cell_type": "code",
792 |    "execution_count": 21,
793 |    "metadata": {},
794 |    "outputs": [
795 |     {
796 |      "data": {
797 |       "text/plain": [
798 |        "50000"
799 |       ]
800 |      },
801 |      "execution_count": 21,
802 |      "metadata": {},
803 |      "output_type": "execute_result"
804 |     }
805 |    ],
806 |    "source": [
807 |     "len(result_df_oneshot)"
808 |    ]
809 |   },
810 |   {
811 |    "attachments": {},
812 |    "cell_type": "markdown",
813 |    "metadata": {},
814 |    "source": [
815 |     "oneshot mode hits the splunk limit of maxresultrows (50000 by default) !\n",
816 |     "\n",
817 |     "Points to\n",
818 |     "`service.confs[\"limits\"][\"restapi\"][\"maxresultrows\"]`\n",
819 |     "\n",
820 |     "It's along with my expect."
821 |    ]
822 |   },
823 |   {
824 |    "cell_type": "markdown",
825 |    "metadata": {},
826 |    "source": []
827 |   }
828 |  ],
829 |  "metadata": {
830 |   "kernelspec": {
831 |    "display_name": "msticpy",
832 |    "language": "python",
833 |    "name": "python3"
834 |   },
835 |   "language_info": {
836 |    "codemirror_mode": {
837 |     "name": "ipython",
838 |     "version": 3
839 |    },
840 |    "file_extension": ".py",
841 |    "mimetype": "text/x-python",
842 |    "name": "python",
843 |    "nbconvert_exporter": "python",
844 |    "pygments_lexer": "ipython3",
845 |    "version": "3.9.12"
846 |   },
847 |   "orig_nbformat": 4
848 |  },
849 |  "nbformat": 4,
850 |  "nbformat_minor": 2
851 | }
852 | 


--------------------------------------------------------------------------------
/qp_splunk_poc_bugfix/msticpy_splunk_9_0_4_reader_bug.ipynb:
--------------------------------------------------------------------------------
   1 | {
   2 |  "cells": [
   3 |   {
   4 |    "attachments": {},
   5 |    "cell_type": "markdown",
   6 |    "metadata": {},
   7 |    "source": [
   8 |     "### Test for docker splunk latest 9.0.4 "
   9 |    ]
  10 |   },
  11 |   {
  12 |    "cell_type": "code",
  13 |    "execution_count": 17,
  14 |    "metadata": {},
  15 |    "outputs": [
  16 |     {
  17 |      "name": "stdout",
  18 |      "output_type": "stream",
  19 |      "text": [
  20 |       "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n",
  21 |       "<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->\n",
  22 |       "<?xml-stylesheet type=\"text/xml\" href=\"/static/atom.xsl\"?>\n",
  23 |       "<feed xmlns=\"http://www.w3.org/2005/Atom\" xmlns:s=\"http://dev.splunk.com/ns/rest\">\n",
  24 |       "  <title>splunkd</title>\n",
  25 |       "  <id>https://localhost:8089/</id>\n",
  26 |       "  <updated>2023-04-19T05:13:09+00:00</updated>\n",
  27 |       "  <generator build=\"de405f4a7979\" version=\"9.0.4\"/>\n",
  28 |       "  <author>\n",
  29 |       "    <name>Splunk</name>\n",
  30 |       "  </author>\n",
  31 |       "  <entry>\n",
  32 |       "    <title>rpc</title>\n",
  33 |       "    <id>https://localhost:8089/rpc</id>\n",
  34 |       "    <updated>1970-01-01T00:00:00+00:00</updated>\n",
  35 |       "    <link href=\"/rpc\" rel=\"alternate\"/>\n",
  36 |       "  </entry>\n",
  37 |       "  <entry>\n",
  38 |       "    <title>services</title>\n",
  39 |       "    <id>https://localhost:8089/services</id>\n",
  40 |       "    <updated>1970-01-01T00:00:00+00:00</updated>\n",
  41 |       "    <link href=\"/services\" rel=\"alternate\"/>\n",
  42 |       "  </entry>\n",
  43 |       "  <entry>\n",
  44 |       "    <title>servicesNS</title>\n",
  45 |       "    <id>https://localhost:8089/servicesNS</id>\n",
  46 |       "    <updated>1970-01-01T00:00:00+00:00</updated>\n",
  47 |       "    <link href=\"/servicesNS\" rel=\"alternate\"/>\n",
  48 |       "  </entry>\n",
  49 |       "  <entry>\n",
  50 |       "    <title>static</title>\n",
  51 |       "    <id>https://localhost:8089/static</id>\n",
  52 |       "    <updated>1970-01-01T00:00:00+00:00</updated>\n",
  53 |       "    <link href=\"/static\" rel=\"alternate\"/>\n",
  54 |       "  </entry>\n",
  55 |       "</feed>\n"
  56 |      ]
  57 |     }
  58 |    ],
  59 |    "source": [
  60 |     "# check the splunk version via REST API\n",
  61 |     "!curl https://localhost:8089 -k\n"
  62 |    ]
  63 |   },
  64 |   {
  65 |    "cell_type": "code",
  66 |    "execution_count": 18,
  67 |    "metadata": {},
  68 |    "outputs": [
  69 |     {
  70 |      "name": "stdout",
  71 |      "output_type": "stream",
  72 |      "text": [
  73 |       "2.4.0\n"
  74 |      ]
  75 |     }
  76 |    ],
  77 |    "source": [
  78 |     "import msticpy as mp\n",
  79 |     "print(mp.__version__)"
  80 |    ]
  81 |   },
  82 |   {
  83 |    "cell_type": "code",
  84 |    "execution_count": 19,
  85 |    "metadata": {},
  86 |    "outputs": [
  87 |     {
  88 |      "name": "stderr",
  89 |      "output_type": "stream",
  90 |      "text": [
  91 |       "2023-04-19 14:13:16,294: WARNING - config validation error Missing or empty 'AzureSentinel' section (nbinit#697)\n",
  92 |       "2023-04-19 14:13:16,294: WARNING - Could not find msticpyconfig.yaml in standard search. (nbinit#710)\n"
  93 |      ]
  94 |     },
  95 |     {
  96 |      "data": {
  97 |       "text/html": [
  98 |        "<p style=''><font color='orange'><h3>Notebook setup completed with some warnings.</h3></p>"
  99 |       ],
 100 |       "text/plain": [
 101 |        "<IPython.core.display.HTML object>"
 102 |       ]
 103 |      },
 104 |      "metadata": {},
 105 |      "output_type": "display_data"
 106 |     },
 107 |     {
 108 |      "data": {
 109 |       "text/html": [
 110 |        "<p style=''>One or more configuration items were missing or set incorrectly.</p>"
 111 |       ],
 112 |       "text/plain": [
 113 |        "<IPython.core.display.HTML object>"
 114 |       ]
 115 |      },
 116 |      "metadata": {},
 117 |      "output_type": "display_data"
 118 |     },
 119 |     {
 120 |      "data": {
 121 |       "text/html": [
 122 |        "<p style=''>Please run the <i>Getting Started Guide for Azure Sentinel ML Notebooks</i> notebook. and the <a href='https://msticpy.readthedocs.io/en/latest/getting_started/msticpyconfig.html'>msticpy configuration guide</a>.</p>"
 123 |       ],
 124 |       "text/plain": [
 125 |        "<IPython.core.display.HTML object>"
 126 |       ]
 127 |      },
 128 |      "metadata": {},
 129 |      "output_type": "display_data"
 130 |     },
 131 |     {
 132 |      "data": {
 133 |       "text/html": [
 134 |        "<p style=''>This notebook may still run but with reduced functionality.</p>"
 135 |       ],
 136 |       "text/plain": [
 137 |        "<IPython.core.display.HTML object>"
 138 |       ]
 139 |      },
 140 |      "metadata": {},
 141 |      "output_type": "display_data"
 142 |     }
 143 |    ],
 144 |    "source": [
 145 |     "mp.init_notebook()"
 146 |    ]
 147 |   },
 148 |   {
 149 |    "cell_type": "code",
 150 |    "execution_count": 20,
 151 |    "metadata": {},
 152 |    "outputs": [
 153 |     {
 154 |      "name": "stdout",
 155 |      "output_type": "stream",
 156 |      "text": [
 157 |       "connected\n"
 158 |      ]
 159 |     }
 160 |    ],
 161 |    "source": [
 162 |     "splunk_prov = mp.QueryProvider(\"Splunk\")\n",
 163 |     "splunk_prov.connect()"
 164 |    ]
 165 |   },
 166 |   {
 167 |    "cell_type": "code",
 168 |    "execution_count": 23,
 169 |    "metadata": {},
 170 |    "outputs": [
 171 |     {
 172 |      "name": "stdout",
 173 |      "output_type": "stream",
 174 |      "text": [
 175 |       "Query:  get_events_parameterized\n",
 176 |       "Data source:  Splunk\n",
 177 |       "Generic parameterized query from index/source\n",
 178 |       "\n",
 179 |       "Parameters\n",
 180 |       "----------\n",
 181 |       "add_query_items: str (optional)\n",
 182 |       "    Additional query clauses\n",
 183 |       "    (default value is: | head 100)\n",
 184 |       "end: datetime\n",
 185 |       "    Query end time\n",
 186 |       "index: str (optional)\n",
 187 |       "    Splunk index name\n",
 188 |       "    (default value is: *)\n",
 189 |       "project_fields: str (optional)\n",
 190 |       "    Project Field names\n",
 191 |       "    (default value is: | table TimeCreated, host, EventID, EventDescripti...)\n",
 192 |       "source: str (optional)\n",
 193 |       "    Splunk source type\n",
 194 |       "    (default value is: *)\n",
 195 |       "start: datetime\n",
 196 |       "    Query start time\n",
 197 |       "timeformat: str (optional)\n",
 198 |       "    Datetime format to use in Splunk query\n",
 199 |       "    (default value is: \"%Y-%m-%d %H:%M:%S.%6N\")\n",
 200 |       "Query:\n",
 201 |       " search index={index} source={source} timeformat={timeformat} earliest={start} latest={end} {project_fields} {add_query_items}\n"
 202 |      ]
 203 |     }
 204 |    ],
 205 |    "source": [
 206 |     "splunk_prov.SplunkGeneral.get_events_parameterized('?')\n"
 207 |    ]
 208 |   },
 209 |   {
 210 |    "cell_type": "code",
 211 |    "execution_count": 24,
 212 |    "metadata": {},
 213 |    "outputs": [
 214 |     {
 215 |      "data": {
 216 |       "text/plain": [
 217 |        "' search index=msticpy source=msticpy_splunk_reader_paging-test.csv timeformat=\"%Y-%m-%d %H:%M:%S.%6N\" earliest=\"2023-04-17 00:00:00\" latest=\"2023-04-19 10:00:00\" | table timestamp,rownum, desc, uuid4, host '"
 218 |       ]
 219 |      },
 220 |      "execution_count": 24,
 221 |      "metadata": {},
 222 |      "output_type": "execute_result"
 223 |     }
 224 |    ],
 225 |    "source": [
 226 |     "splunk_prov.SplunkGeneral.get_events_parameterized('print',\n",
 227 |     "    index=\"msticpy\",\n",
 228 |     "    source=\"msticpy_splunk_reader_paging-test.csv\",\n",
 229 |     "    project_fields=\"| table timestamp,rownum, desc, uuid4, host\",\n",
 230 |     "    start=\"2023-04-17 00:00:00.000000\",\n",
 231 |     "    end=\"2023-04-19 10:00:00.000000\",    \n",
 232 |     "    add_query_items='',\n",
 233 |     "    count=0\n",
 234 |     ")\n",
 235 |     "\n"
 236 |    ]
 237 |   },
 238 |   {
 239 |    "cell_type": "code",
 240 |    "execution_count": 25,
 241 |    "metadata": {},
 242 |    "outputs": [
 243 |     {
 244 |      "name": "stderr",
 245 |      "output_type": "stream",
 246 |      "text": [
 247 |       "Waiting Splunk job to complete: 100%|██████████| 100.0/100 [00:01<00:00, 97.67it/s]\n",
 248 |       "/Users/hacket/.pyenv/versions/3.9.5/lib/python3.9/site-packages/msticpy/data/drivers/splunk_driver.py:234: DeprecationWarning: ResultsReader is a deprecated function. Use the JSONResultsReader function instead in conjuction with the 'output_mode' query param set to 'json'\n",
 249 |       "  reader = sp_results.ResultsReader(query_job.results())\n"
 250 |      ]
 251 |     },
 252 |     {
 253 |      "data": {
 254 |       "text/plain": [
 255 |        "100"
 256 |       ]
 257 |      },
 258 |      "execution_count": 25,
 259 |      "metadata": {},
 260 |      "output_type": "execute_result"
 261 |     }
 262 |    ],
 263 |    "source": [
 264 |     "\n",
 265 |     "result_df = splunk_prov.SplunkGeneral.get_events_parameterized(\n",
 266 |     "    index=\"msticpy\",\n",
 267 |     "    source=\"msticpy_splunk_reader_paging-test.csv\",\n",
 268 |     "    project_fields=\"| table timestamp,rownum, desc, uuid4, host\",\n",
 269 |     "    start=\"2023-04-17 00:00:00.000000\",\n",
 270 |     "    end=\"2023-04-19 10:00:00.000000\",    \n",
 271 |     "    add_query_items='',\n",
 272 |     "    count=0\n",
 273 |     ")\n",
 274 |     "len(result_df)"
 275 |    ]
 276 |   },
 277 |   {
 278 |    "cell_type": "code",
 279 |    "execution_count": 26,
 280 |    "metadata": {},
 281 |    "outputs": [
 282 |     {
 283 |      "data": {
 284 |       "text/html": [
 285 |        "<div>\n",
 286 |        "<style scoped>\n",
 287 |        "    .dataframe tbody tr th:only-of-type {\n",
 288 |        "        vertical-align: middle;\n",
 289 |        "    }\n",
 290 |        "\n",
 291 |        "    .dataframe tbody tr th {\n",
 292 |        "        vertical-align: top;\n",
 293 |        "    }\n",
 294 |        "\n",
 295 |        "    .dataframe thead th {\n",
 296 |        "        text-align: right;\n",
 297 |        "    }\n",
 298 |        "</style>\n",
 299 |        "<table border=\"1\" class=\"dataframe\">\n",
 300 |        "  <thead>\n",
 301 |        "    <tr style=\"text-align: right;\">\n",
 302 |        "      <th></th>\n",
 303 |        "      <th>timestamp</th>\n",
 304 |        "      <th>rownum</th>\n",
 305 |        "      <th>desc</th>\n",
 306 |        "      <th>uuid4</th>\n",
 307 |        "      <th>host</th>\n",
 308 |        "    </tr>\n",
 309 |        "  </thead>\n",
 310 |        "  <tbody>\n",
 311 |        "    <tr>\n",
 312 |        "      <th>0</th>\n",
 313 |        "      <td>1681779752.406508</td>\n",
 314 |        "      <td>91020</td>\n",
 315 |        "      <td>testing_rownum91020</td>\n",
 316 |        "      <td>e6b1e205-ad10-40a9-81da-6de2a48310bf</td>\n",
 317 |        "      <td>b7ea75f8df3c</td>\n",
 318 |        "    </tr>\n",
 319 |        "    <tr>\n",
 320 |        "      <th>1</th>\n",
 321 |        "      <td>1681779752.405167</td>\n",
 322 |        "      <td>91019</td>\n",
 323 |        "      <td>testing_rownum91019</td>\n",
 324 |        "      <td>1fdf3802-c17e-4dbd-af9a-5a74beb6dac2</td>\n",
 325 |        "      <td>b7ea75f8df3c</td>\n",
 326 |        "    </tr>\n",
 327 |        "    <tr>\n",
 328 |        "      <th>2</th>\n",
 329 |        "      <td>1681779752.403983</td>\n",
 330 |        "      <td>91018</td>\n",
 331 |        "      <td>testing_rownum91018</td>\n",
 332 |        "      <td>63853418-0e82-453d-a816-d759fdb06f66</td>\n",
 333 |        "      <td>b7ea75f8df3c</td>\n",
 334 |        "    </tr>\n",
 335 |        "    <tr>\n",
 336 |        "      <th>3</th>\n",
 337 |        "      <td>1681779752.402606</td>\n",
 338 |        "      <td>91017</td>\n",
 339 |        "      <td>testing_rownum91017</td>\n",
 340 |        "      <td>f9410562-ef8a-48ce-8a20-0d700c57cead</td>\n",
 341 |        "      <td>b7ea75f8df3c</td>\n",
 342 |        "    </tr>\n",
 343 |        "    <tr>\n",
 344 |        "      <th>4</th>\n",
 345 |        "      <td>1681779752.401176</td>\n",
 346 |        "      <td>91016</td>\n",
 347 |        "      <td>testing_rownum91016</td>\n",
 348 |        "      <td>a83544f4-3640-48ac-82fa-a69ef43c83f8</td>\n",
 349 |        "      <td>b7ea75f8df3c</td>\n",
 350 |        "    </tr>\n",
 351 |        "    <tr>\n",
 352 |        "      <th>5</th>\n",
 353 |        "      <td>1681779752.399793</td>\n",
 354 |        "      <td>91015</td>\n",
 355 |        "      <td>testing_rownum91015</td>\n",
 356 |        "      <td>abc1f653-9197-48af-9c51-de3ec4cbdf60</td>\n",
 357 |        "      <td>b7ea75f8df3c</td>\n",
 358 |        "    </tr>\n",
 359 |        "    <tr>\n",
 360 |        "      <th>6</th>\n",
 361 |        "      <td>1681779752.398403</td>\n",
 362 |        "      <td>91014</td>\n",
 363 |        "      <td>testing_rownum91014</td>\n",
 364 |        "      <td>73db45e8-498b-423a-99d4-93a8987f4383</td>\n",
 365 |        "      <td>b7ea75f8df3c</td>\n",
 366 |        "    </tr>\n",
 367 |        "    <tr>\n",
 368 |        "      <th>7</th>\n",
 369 |        "      <td>1681779752.397149</td>\n",
 370 |        "      <td>91013</td>\n",
 371 |        "      <td>testing_rownum91013</td>\n",
 372 |        "      <td>dcda1ec7-2aee-47e1-83f6-380f757ac274</td>\n",
 373 |        "      <td>b7ea75f8df3c</td>\n",
 374 |        "    </tr>\n",
 375 |        "    <tr>\n",
 376 |        "      <th>8</th>\n",
 377 |        "      <td>1681779752.39573</td>\n",
 378 |        "      <td>91012</td>\n",
 379 |        "      <td>testing_rownum91012</td>\n",
 380 |        "      <td>5c78d913-36b7-4ea2-a8e1-d2f365c034bb</td>\n",
 381 |        "      <td>b7ea75f8df3c</td>\n",
 382 |        "    </tr>\n",
 383 |        "    <tr>\n",
 384 |        "      <th>9</th>\n",
 385 |        "      <td>1681779752.394345</td>\n",
 386 |        "      <td>91011</td>\n",
 387 |        "      <td>testing_rownum91011</td>\n",
 388 |        "      <td>a6089f12-9447-4098-8feb-2d1c90130ffd</td>\n",
 389 |        "      <td>b7ea75f8df3c</td>\n",
 390 |        "    </tr>\n",
 391 |        "    <tr>\n",
 392 |        "      <th>10</th>\n",
 393 |        "      <td>1681779752.392953</td>\n",
 394 |        "      <td>91010</td>\n",
 395 |        "      <td>testing_rownum91010</td>\n",
 396 |        "      <td>9285c292-a454-41e8-a4e9-87b1ba27812e</td>\n",
 397 |        "      <td>b7ea75f8df3c</td>\n",
 398 |        "    </tr>\n",
 399 |        "    <tr>\n",
 400 |        "      <th>11</th>\n",
 401 |        "      <td>1681779752.391523</td>\n",
 402 |        "      <td>91009</td>\n",
 403 |        "      <td>testing_rownum91009</td>\n",
 404 |        "      <td>78d3b3cf-494e-450e-ae3b-5270e8c29a09</td>\n",
 405 |        "      <td>b7ea75f8df3c</td>\n",
 406 |        "    </tr>\n",
 407 |        "    <tr>\n",
 408 |        "      <th>12</th>\n",
 409 |        "      <td>1681779752.390141</td>\n",
 410 |        "      <td>91008</td>\n",
 411 |        "      <td>testing_rownum91008</td>\n",
 412 |        "      <td>ea055d48-7fa1-4233-b20b-d59dfdb6608e</td>\n",
 413 |        "      <td>b7ea75f8df3c</td>\n",
 414 |        "    </tr>\n",
 415 |        "    <tr>\n",
 416 |        "      <th>13</th>\n",
 417 |        "      <td>1681779752.388756</td>\n",
 418 |        "      <td>91007</td>\n",
 419 |        "      <td>testing_rownum91007</td>\n",
 420 |        "      <td>5dd307fe-590e-4e34-b9c7-14fe264621b6</td>\n",
 421 |        "      <td>b7ea75f8df3c</td>\n",
 422 |        "    </tr>\n",
 423 |        "    <tr>\n",
 424 |        "      <th>14</th>\n",
 425 |        "      <td>1681779752.387368</td>\n",
 426 |        "      <td>91006</td>\n",
 427 |        "      <td>testing_rownum91006</td>\n",
 428 |        "      <td>0bbc9c1d-e960-4669-9533-2eeb9f44368d</td>\n",
 429 |        "      <td>b7ea75f8df3c</td>\n",
 430 |        "    </tr>\n",
 431 |        "    <tr>\n",
 432 |        "      <th>15</th>\n",
 433 |        "      <td>1681779752.385981</td>\n",
 434 |        "      <td>91005</td>\n",
 435 |        "      <td>testing_rownum91005</td>\n",
 436 |        "      <td>ea630193-d9e9-4b6f-ab53-2176ddcc58f6</td>\n",
 437 |        "      <td>b7ea75f8df3c</td>\n",
 438 |        "    </tr>\n",
 439 |        "    <tr>\n",
 440 |        "      <th>16</th>\n",
 441 |        "      <td>1681779752.384581</td>\n",
 442 |        "      <td>91004</td>\n",
 443 |        "      <td>testing_rownum91004</td>\n",
 444 |        "      <td>1461a016-4a56-4888-9a3e-e78d49856c4a</td>\n",
 445 |        "      <td>b7ea75f8df3c</td>\n",
 446 |        "    </tr>\n",
 447 |        "    <tr>\n",
 448 |        "      <th>17</th>\n",
 449 |        "      <td>1681779752.383178</td>\n",
 450 |        "      <td>91003</td>\n",
 451 |        "      <td>testing_rownum91003</td>\n",
 452 |        "      <td>52317b49-f8cc-4218-aa35-a47ecd62e568</td>\n",
 453 |        "      <td>b7ea75f8df3c</td>\n",
 454 |        "    </tr>\n",
 455 |        "    <tr>\n",
 456 |        "      <th>18</th>\n",
 457 |        "      <td>1681779752.381794</td>\n",
 458 |        "      <td>91002</td>\n",
 459 |        "      <td>testing_rownum91002</td>\n",
 460 |        "      <td>6799ef50-122c-4c73-bb70-bb55ac67de66</td>\n",
 461 |        "      <td>b7ea75f8df3c</td>\n",
 462 |        "    </tr>\n",
 463 |        "    <tr>\n",
 464 |        "      <th>19</th>\n",
 465 |        "      <td>1681779752.380393</td>\n",
 466 |        "      <td>91001</td>\n",
 467 |        "      <td>testing_rownum91001</td>\n",
 468 |        "      <td>8c71a674-ca0c-4de9-bb39-2b246dac630f</td>\n",
 469 |        "      <td>b7ea75f8df3c</td>\n",
 470 |        "    </tr>\n",
 471 |        "    <tr>\n",
 472 |        "      <th>20</th>\n",
 473 |        "      <td>1681779752.378992</td>\n",
 474 |        "      <td>91000</td>\n",
 475 |        "      <td>testing_rownum91000</td>\n",
 476 |        "      <td>33c9cfb0-d264-44e9-b173-5020beb7b3fe</td>\n",
 477 |        "      <td>b7ea75f8df3c</td>\n",
 478 |        "    </tr>\n",
 479 |        "    <tr>\n",
 480 |        "      <th>21</th>\n",
 481 |        "      <td>1681779752.377607</td>\n",
 482 |        "      <td>90999</td>\n",
 483 |        "      <td>testing_rownum90999</td>\n",
 484 |        "      <td>a535250e-3c1d-46c7-a1c3-cdebdfee7b24</td>\n",
 485 |        "      <td>b7ea75f8df3c</td>\n",
 486 |        "    </tr>\n",
 487 |        "    <tr>\n",
 488 |        "      <th>22</th>\n",
 489 |        "      <td>1681779752.376221</td>\n",
 490 |        "      <td>90998</td>\n",
 491 |        "      <td>testing_rownum90998</td>\n",
 492 |        "      <td>38b94fef-71b5-4172-99a8-2706ee362330</td>\n",
 493 |        "      <td>b7ea75f8df3c</td>\n",
 494 |        "    </tr>\n",
 495 |        "    <tr>\n",
 496 |        "      <th>23</th>\n",
 497 |        "      <td>1681779752.374777</td>\n",
 498 |        "      <td>90997</td>\n",
 499 |        "      <td>testing_rownum90997</td>\n",
 500 |        "      <td>11003d0b-e3a0-416c-af9a-eb8e1235f73e</td>\n",
 501 |        "      <td>b7ea75f8df3c</td>\n",
 502 |        "    </tr>\n",
 503 |        "    <tr>\n",
 504 |        "      <th>24</th>\n",
 505 |        "      <td>1681779752.373472</td>\n",
 506 |        "      <td>90996</td>\n",
 507 |        "      <td>testing_rownum90996</td>\n",
 508 |        "      <td>33860324-3eea-4839-9c5a-7cf166de2110</td>\n",
 509 |        "      <td>b7ea75f8df3c</td>\n",
 510 |        "    </tr>\n",
 511 |        "    <tr>\n",
 512 |        "      <th>25</th>\n",
 513 |        "      <td>1681779752.372097</td>\n",
 514 |        "      <td>90995</td>\n",
 515 |        "      <td>testing_rownum90995</td>\n",
 516 |        "      <td>ba436b9d-9082-4411-b603-658f810677ae</td>\n",
 517 |        "      <td>b7ea75f8df3c</td>\n",
 518 |        "    </tr>\n",
 519 |        "    <tr>\n",
 520 |        "      <th>26</th>\n",
 521 |        "      <td>1681779752.370822</td>\n",
 522 |        "      <td>90994</td>\n",
 523 |        "      <td>testing_rownum90994</td>\n",
 524 |        "      <td>4a4dac63-c6bc-46a1-8ad8-43c0b68e9a74</td>\n",
 525 |        "      <td>b7ea75f8df3c</td>\n",
 526 |        "    </tr>\n",
 527 |        "    <tr>\n",
 528 |        "      <th>27</th>\n",
 529 |        "      <td>1681779752.369402</td>\n",
 530 |        "      <td>90993</td>\n",
 531 |        "      <td>testing_rownum90993</td>\n",
 532 |        "      <td>8cec26a2-404e-43b7-8e1e-c672adb41cab</td>\n",
 533 |        "      <td>b7ea75f8df3c</td>\n",
 534 |        "    </tr>\n",
 535 |        "    <tr>\n",
 536 |        "      <th>28</th>\n",
 537 |        "      <td>1681779752.368045</td>\n",
 538 |        "      <td>90992</td>\n",
 539 |        "      <td>testing_rownum90992</td>\n",
 540 |        "      <td>4e48d246-2a97-4892-bf7a-f9b6b0230ee7</td>\n",
 541 |        "      <td>b7ea75f8df3c</td>\n",
 542 |        "    </tr>\n",
 543 |        "    <tr>\n",
 544 |        "      <th>29</th>\n",
 545 |        "      <td>1681779752.366817</td>\n",
 546 |        "      <td>90991</td>\n",
 547 |        "      <td>testing_rownum90991</td>\n",
 548 |        "      <td>6cc13611-669a-4ac6-a1a7-0f1ec2559d0e</td>\n",
 549 |        "      <td>b7ea75f8df3c</td>\n",
 550 |        "    </tr>\n",
 551 |        "    <tr>\n",
 552 |        "      <th>30</th>\n",
 553 |        "      <td>1681779752.365429</td>\n",
 554 |        "      <td>90990</td>\n",
 555 |        "      <td>testing_rownum90990</td>\n",
 556 |        "      <td>6bbbafda-4bbe-40f0-b46a-11186cf12e7e</td>\n",
 557 |        "      <td>b7ea75f8df3c</td>\n",
 558 |        "    </tr>\n",
 559 |        "    <tr>\n",
 560 |        "      <th>31</th>\n",
 561 |        "      <td>1681779752.363988</td>\n",
 562 |        "      <td>90989</td>\n",
 563 |        "      <td>testing_rownum90989</td>\n",
 564 |        "      <td>d3aed9f7-bc7f-4d41-b4d2-0598a0af2dee</td>\n",
 565 |        "      <td>b7ea75f8df3c</td>\n",
 566 |        "    </tr>\n",
 567 |        "    <tr>\n",
 568 |        "      <th>32</th>\n",
 569 |        "      <td>1681779752.362554</td>\n",
 570 |        "      <td>90988</td>\n",
 571 |        "      <td>testing_rownum90988</td>\n",
 572 |        "      <td>7068ee2c-25c2-44a1-bff3-f62c3edb2cd2</td>\n",
 573 |        "      <td>b7ea75f8df3c</td>\n",
 574 |        "    </tr>\n",
 575 |        "    <tr>\n",
 576 |        "      <th>33</th>\n",
 577 |        "      <td>1681779752.361126</td>\n",
 578 |        "      <td>90987</td>\n",
 579 |        "      <td>testing_rownum90987</td>\n",
 580 |        "      <td>ec051770-480e-4547-97c8-499cd48bafe6</td>\n",
 581 |        "      <td>b7ea75f8df3c</td>\n",
 582 |        "    </tr>\n",
 583 |        "    <tr>\n",
 584 |        "      <th>34</th>\n",
 585 |        "      <td>1681779752.359682</td>\n",
 586 |        "      <td>90986</td>\n",
 587 |        "      <td>testing_rownum90986</td>\n",
 588 |        "      <td>26c41209-b5a0-475c-8cc9-33e3ca0e9da9</td>\n",
 589 |        "      <td>b7ea75f8df3c</td>\n",
 590 |        "    </tr>\n",
 591 |        "    <tr>\n",
 592 |        "      <th>35</th>\n",
 593 |        "      <td>1681779752.358297</td>\n",
 594 |        "      <td>90985</td>\n",
 595 |        "      <td>testing_rownum90985</td>\n",
 596 |        "      <td>9acc54f9-bec8-4569-b553-d0d428fb9d58</td>\n",
 597 |        "      <td>b7ea75f8df3c</td>\n",
 598 |        "    </tr>\n",
 599 |        "    <tr>\n",
 600 |        "      <th>36</th>\n",
 601 |        "      <td>1681779752.35692</td>\n",
 602 |        "      <td>90984</td>\n",
 603 |        "      <td>testing_rownum90984</td>\n",
 604 |        "      <td>958216ac-9583-4428-b1d8-f565596a833f</td>\n",
 605 |        "      <td>b7ea75f8df3c</td>\n",
 606 |        "    </tr>\n",
 607 |        "    <tr>\n",
 608 |        "      <th>37</th>\n",
 609 |        "      <td>1681779752.355614</td>\n",
 610 |        "      <td>90983</td>\n",
 611 |        "      <td>testing_rownum90983</td>\n",
 612 |        "      <td>f9128fe4-cd8c-4556-b660-a0ae9c542262</td>\n",
 613 |        "      <td>b7ea75f8df3c</td>\n",
 614 |        "    </tr>\n",
 615 |        "    <tr>\n",
 616 |        "      <th>38</th>\n",
 617 |        "      <td>1681779752.354208</td>\n",
 618 |        "      <td>90982</td>\n",
 619 |        "      <td>testing_rownum90982</td>\n",
 620 |        "      <td>460c77e6-dd96-4b42-be80-60a1e86427d5</td>\n",
 621 |        "      <td>b7ea75f8df3c</td>\n",
 622 |        "    </tr>\n",
 623 |        "    <tr>\n",
 624 |        "      <th>39</th>\n",
 625 |        "      <td>1681779752.352808</td>\n",
 626 |        "      <td>90981</td>\n",
 627 |        "      <td>testing_rownum90981</td>\n",
 628 |        "      <td>0f240d33-23d5-4320-b7a4-073dc2b8f361</td>\n",
 629 |        "      <td>b7ea75f8df3c</td>\n",
 630 |        "    </tr>\n",
 631 |        "    <tr>\n",
 632 |        "      <th>40</th>\n",
 633 |        "      <td>1681779752.351424</td>\n",
 634 |        "      <td>90980</td>\n",
 635 |        "      <td>testing_rownum90980</td>\n",
 636 |        "      <td>687b894e-0961-4a9d-bfaf-ad7bac60468a</td>\n",
 637 |        "      <td>b7ea75f8df3c</td>\n",
 638 |        "    </tr>\n",
 639 |        "    <tr>\n",
 640 |        "      <th>41</th>\n",
 641 |        "      <td>1681779752.350038</td>\n",
 642 |        "      <td>90979</td>\n",
 643 |        "      <td>testing_rownum90979</td>\n",
 644 |        "      <td>970bf2e6-e344-4e1a-a8de-d289ecb85a36</td>\n",
 645 |        "      <td>b7ea75f8df3c</td>\n",
 646 |        "    </tr>\n",
 647 |        "    <tr>\n",
 648 |        "      <th>42</th>\n",
 649 |        "      <td>1681779752.348623</td>\n",
 650 |        "      <td>90978</td>\n",
 651 |        "      <td>testing_rownum90978</td>\n",
 652 |        "      <td>2b9cf05a-f8c1-4da1-80f6-93204be6c2d8</td>\n",
 653 |        "      <td>b7ea75f8df3c</td>\n",
 654 |        "    </tr>\n",
 655 |        "    <tr>\n",
 656 |        "      <th>43</th>\n",
 657 |        "      <td>1681779752.347205</td>\n",
 658 |        "      <td>90977</td>\n",
 659 |        "      <td>testing_rownum90977</td>\n",
 660 |        "      <td>c9d59855-0363-45d4-8cff-c72d631e4b99</td>\n",
 661 |        "      <td>b7ea75f8df3c</td>\n",
 662 |        "    </tr>\n",
 663 |        "    <tr>\n",
 664 |        "      <th>44</th>\n",
 665 |        "      <td>1681779752.345805</td>\n",
 666 |        "      <td>90976</td>\n",
 667 |        "      <td>testing_rownum90976</td>\n",
 668 |        "      <td>4c39cb21-a981-4802-bee3-04a44a0d48e3</td>\n",
 669 |        "      <td>b7ea75f8df3c</td>\n",
 670 |        "    </tr>\n",
 671 |        "    <tr>\n",
 672 |        "      <th>45</th>\n",
 673 |        "      <td>1681779752.344417</td>\n",
 674 |        "      <td>90975</td>\n",
 675 |        "      <td>testing_rownum90975</td>\n",
 676 |        "      <td>85214d7e-b933-4081-af84-10c0c5b8e37d</td>\n",
 677 |        "      <td>b7ea75f8df3c</td>\n",
 678 |        "    </tr>\n",
 679 |        "    <tr>\n",
 680 |        "      <th>46</th>\n",
 681 |        "      <td>1681779752.343033</td>\n",
 682 |        "      <td>90974</td>\n",
 683 |        "      <td>testing_rownum90974</td>\n",
 684 |        "      <td>ec60e11b-8e08-437c-8c73-cb0e8bd4dc41</td>\n",
 685 |        "      <td>b7ea75f8df3c</td>\n",
 686 |        "    </tr>\n",
 687 |        "    <tr>\n",
 688 |        "      <th>47</th>\n",
 689 |        "      <td>1681779752.341633</td>\n",
 690 |        "      <td>90973</td>\n",
 691 |        "      <td>testing_rownum90973</td>\n",
 692 |        "      <td>e1224ee0-a8cb-46d4-ae9b-b9daab5e394f</td>\n",
 693 |        "      <td>b7ea75f8df3c</td>\n",
 694 |        "    </tr>\n",
 695 |        "    <tr>\n",
 696 |        "      <th>48</th>\n",
 697 |        "      <td>1681779752.340229</td>\n",
 698 |        "      <td>90972</td>\n",
 699 |        "      <td>testing_rownum90972</td>\n",
 700 |        "      <td>8f7d1802-743d-4d4a-8a23-860e2613055f</td>\n",
 701 |        "      <td>b7ea75f8df3c</td>\n",
 702 |        "    </tr>\n",
 703 |        "    <tr>\n",
 704 |        "      <th>49</th>\n",
 705 |        "      <td>1681779752.338835</td>\n",
 706 |        "      <td>90971</td>\n",
 707 |        "      <td>testing_rownum90971</td>\n",
 708 |        "      <td>3e96d2fb-e771-4b47-8e81-1cab2e9b6271</td>\n",
 709 |        "      <td>b7ea75f8df3c</td>\n",
 710 |        "    </tr>\n",
 711 |        "    <tr>\n",
 712 |        "      <th>50</th>\n",
 713 |        "      <td>1681779752.337448</td>\n",
 714 |        "      <td>90970</td>\n",
 715 |        "      <td>testing_rownum90970</td>\n",
 716 |        "      <td>77b6440d-c899-4ff1-9a7f-a8d77f485ed2</td>\n",
 717 |        "      <td>b7ea75f8df3c</td>\n",
 718 |        "    </tr>\n",
 719 |        "    <tr>\n",
 720 |        "      <th>51</th>\n",
 721 |        "      <td>1681779752.336065</td>\n",
 722 |        "      <td>90969</td>\n",
 723 |        "      <td>testing_rownum90969</td>\n",
 724 |        "      <td>a7d68e3d-a78f-407c-827d-362b789257b5</td>\n",
 725 |        "      <td>b7ea75f8df3c</td>\n",
 726 |        "    </tr>\n",
 727 |        "    <tr>\n",
 728 |        "      <th>52</th>\n",
 729 |        "      <td>1681779752.334683</td>\n",
 730 |        "      <td>90968</td>\n",
 731 |        "      <td>testing_rownum90968</td>\n",
 732 |        "      <td>78a0421c-99f6-40cd-a903-1ea72464b0ce</td>\n",
 733 |        "      <td>b7ea75f8df3c</td>\n",
 734 |        "    </tr>\n",
 735 |        "    <tr>\n",
 736 |        "      <th>53</th>\n",
 737 |        "      <td>1681779752.333446</td>\n",
 738 |        "      <td>90967</td>\n",
 739 |        "      <td>testing_rownum90967</td>\n",
 740 |        "      <td>505b326f-997d-446d-ad04-ceb0d98a8708</td>\n",
 741 |        "      <td>b7ea75f8df3c</td>\n",
 742 |        "    </tr>\n",
 743 |        "    <tr>\n",
 744 |        "      <th>54</th>\n",
 745 |        "      <td>1681779752.332216</td>\n",
 746 |        "      <td>90966</td>\n",
 747 |        "      <td>testing_rownum90966</td>\n",
 748 |        "      <td>adbfbba2-9415-4381-8c05-4d34bdcc914a</td>\n",
 749 |        "      <td>b7ea75f8df3c</td>\n",
 750 |        "    </tr>\n",
 751 |        "    <tr>\n",
 752 |        "      <th>55</th>\n",
 753 |        "      <td>1681779752.330789</td>\n",
 754 |        "      <td>90965</td>\n",
 755 |        "      <td>testing_rownum90965</td>\n",
 756 |        "      <td>3517ba74-2e00-4bf2-a42b-20e0d764b811</td>\n",
 757 |        "      <td>b7ea75f8df3c</td>\n",
 758 |        "    </tr>\n",
 759 |        "    <tr>\n",
 760 |        "      <th>56</th>\n",
 761 |        "      <td>1681779752.329405</td>\n",
 762 |        "      <td>90964</td>\n",
 763 |        "      <td>testing_rownum90964</td>\n",
 764 |        "      <td>95f3c4a0-f0c6-44be-88ec-8cad8cc1fbf2</td>\n",
 765 |        "      <td>b7ea75f8df3c</td>\n",
 766 |        "    </tr>\n",
 767 |        "    <tr>\n",
 768 |        "      <th>57</th>\n",
 769 |        "      <td>1681779752.328077</td>\n",
 770 |        "      <td>90963</td>\n",
 771 |        "      <td>testing_rownum90963</td>\n",
 772 |        "      <td>ad693222-f6ee-4f45-8b37-6a78bc72a7d6</td>\n",
 773 |        "      <td>b7ea75f8df3c</td>\n",
 774 |        "    </tr>\n",
 775 |        "    <tr>\n",
 776 |        "      <th>58</th>\n",
 777 |        "      <td>1681779752.326748</td>\n",
 778 |        "      <td>90962</td>\n",
 779 |        "      <td>testing_rownum90962</td>\n",
 780 |        "      <td>01b6f4f2-db3f-48a9-b0ea-ded53ecc9bb0</td>\n",
 781 |        "      <td>b7ea75f8df3c</td>\n",
 782 |        "    </tr>\n",
 783 |        "    <tr>\n",
 784 |        "      <th>59</th>\n",
 785 |        "      <td>1681779752.325389</td>\n",
 786 |        "      <td>90961</td>\n",
 787 |        "      <td>testing_rownum90961</td>\n",
 788 |        "      <td>2218a2ee-3838-4fed-83f3-f571d7330c1f</td>\n",
 789 |        "      <td>b7ea75f8df3c</td>\n",
 790 |        "    </tr>\n",
 791 |        "    <tr>\n",
 792 |        "      <th>60</th>\n",
 793 |        "      <td>1681779752.32401</td>\n",
 794 |        "      <td>90960</td>\n",
 795 |        "      <td>testing_rownum90960</td>\n",
 796 |        "      <td>1fdeb5de-8c16-4e31-a19c-0ece227f75a0</td>\n",
 797 |        "      <td>b7ea75f8df3c</td>\n",
 798 |        "    </tr>\n",
 799 |        "    <tr>\n",
 800 |        "      <th>61</th>\n",
 801 |        "      <td>1681779752.322841</td>\n",
 802 |        "      <td>90959</td>\n",
 803 |        "      <td>testing_rownum90959</td>\n",
 804 |        "      <td>3d4a5628-f467-4a54-8966-f30d057d1060</td>\n",
 805 |        "      <td>b7ea75f8df3c</td>\n",
 806 |        "    </tr>\n",
 807 |        "    <tr>\n",
 808 |        "      <th>62</th>\n",
 809 |        "      <td>1681779752.321636</td>\n",
 810 |        "      <td>90958</td>\n",
 811 |        "      <td>testing_rownum90958</td>\n",
 812 |        "      <td>9d4cedfa-70db-4710-88f3-9b1f17238549</td>\n",
 813 |        "      <td>b7ea75f8df3c</td>\n",
 814 |        "    </tr>\n",
 815 |        "    <tr>\n",
 816 |        "      <th>63</th>\n",
 817 |        "      <td>1681779752.320403</td>\n",
 818 |        "      <td>90957</td>\n",
 819 |        "      <td>testing_rownum90957</td>\n",
 820 |        "      <td>eec23ddf-0d2e-41b3-b387-b1c7e09606b4</td>\n",
 821 |        "      <td>b7ea75f8df3c</td>\n",
 822 |        "    </tr>\n",
 823 |        "    <tr>\n",
 824 |        "      <th>64</th>\n",
 825 |        "      <td>1681779752.319054</td>\n",
 826 |        "      <td>90956</td>\n",
 827 |        "      <td>testing_rownum90956</td>\n",
 828 |        "      <td>01762a20-edb8-4531-8b47-feedbe22b565</td>\n",
 829 |        "      <td>b7ea75f8df3c</td>\n",
 830 |        "    </tr>\n",
 831 |        "    <tr>\n",
 832 |        "      <th>65</th>\n",
 833 |        "      <td>1681779752.317637</td>\n",
 834 |        "      <td>90955</td>\n",
 835 |        "      <td>testing_rownum90955</td>\n",
 836 |        "      <td>5d9c83ea-5571-4248-a280-a084f21216e7</td>\n",
 837 |        "      <td>b7ea75f8df3c</td>\n",
 838 |        "    </tr>\n",
 839 |        "    <tr>\n",
 840 |        "      <th>66</th>\n",
 841 |        "      <td>1681779752.316274</td>\n",
 842 |        "      <td>90954</td>\n",
 843 |        "      <td>testing_rownum90954</td>\n",
 844 |        "      <td>60c1af52-657d-4c46-baa5-4df7d105264a</td>\n",
 845 |        "      <td>b7ea75f8df3c</td>\n",
 846 |        "    </tr>\n",
 847 |        "    <tr>\n",
 848 |        "      <th>67</th>\n",
 849 |        "      <td>1681779752.314906</td>\n",
 850 |        "      <td>90953</td>\n",
 851 |        "      <td>testing_rownum90953</td>\n",
 852 |        "      <td>12ab0219-f3a4-4581-a3e5-3a8703483a0d</td>\n",
 853 |        "      <td>b7ea75f8df3c</td>\n",
 854 |        "    </tr>\n",
 855 |        "    <tr>\n",
 856 |        "      <th>68</th>\n",
 857 |        "      <td>1681779752.313527</td>\n",
 858 |        "      <td>90952</td>\n",
 859 |        "      <td>testing_rownum90952</td>\n",
 860 |        "      <td>9b346382-e195-4985-828f-1aa4e6c4a109</td>\n",
 861 |        "      <td>b7ea75f8df3c</td>\n",
 862 |        "    </tr>\n",
 863 |        "    <tr>\n",
 864 |        "      <th>69</th>\n",
 865 |        "      <td>1681779752.312311</td>\n",
 866 |        "      <td>90951</td>\n",
 867 |        "      <td>testing_rownum90951</td>\n",
 868 |        "      <td>84d200f7-61d2-4ee6-a4ca-969c7056040a</td>\n",
 869 |        "      <td>b7ea75f8df3c</td>\n",
 870 |        "    </tr>\n",
 871 |        "    <tr>\n",
 872 |        "      <th>70</th>\n",
 873 |        "      <td>1681779752.31107</td>\n",
 874 |        "      <td>90950</td>\n",
 875 |        "      <td>testing_rownum90950</td>\n",
 876 |        "      <td>98ae2425-697f-46f5-8b80-0cb6d53e904a</td>\n",
 877 |        "      <td>b7ea75f8df3c</td>\n",
 878 |        "    </tr>\n",
 879 |        "    <tr>\n",
 880 |        "      <th>71</th>\n",
 881 |        "      <td>1681779752.309636</td>\n",
 882 |        "      <td>90949</td>\n",
 883 |        "      <td>testing_rownum90949</td>\n",
 884 |        "      <td>8152b663-9cbe-44f2-a499-1d1c8328398e</td>\n",
 885 |        "      <td>b7ea75f8df3c</td>\n",
 886 |        "    </tr>\n",
 887 |        "    <tr>\n",
 888 |        "      <th>72</th>\n",
 889 |        "      <td>1681779752.308253</td>\n",
 890 |        "      <td>90948</td>\n",
 891 |        "      <td>testing_rownum90948</td>\n",
 892 |        "      <td>e16ceff5-f9d7-45f8-8aa9-702930a52d4b</td>\n",
 893 |        "      <td>b7ea75f8df3c</td>\n",
 894 |        "    </tr>\n",
 895 |        "    <tr>\n",
 896 |        "      <th>73</th>\n",
 897 |        "      <td>1681779752.306838</td>\n",
 898 |        "      <td>90947</td>\n",
 899 |        "      <td>testing_rownum90947</td>\n",
 900 |        "      <td>6c821b9b-91d8-427e-9fc2-aa4b493b2fe5</td>\n",
 901 |        "      <td>b7ea75f8df3c</td>\n",
 902 |        "    </tr>\n",
 903 |        "    <tr>\n",
 904 |        "      <th>74</th>\n",
 905 |        "      <td>1681779752.305435</td>\n",
 906 |        "      <td>90946</td>\n",
 907 |        "      <td>testing_rownum90946</td>\n",
 908 |        "      <td>da396819-e679-4d53-bacc-a39e1c812996</td>\n",
 909 |        "      <td>b7ea75f8df3c</td>\n",
 910 |        "    </tr>\n",
 911 |        "    <tr>\n",
 912 |        "      <th>75</th>\n",
 913 |        "      <td>1681779752.304033</td>\n",
 914 |        "      <td>90945</td>\n",
 915 |        "      <td>testing_rownum90945</td>\n",
 916 |        "      <td>39df1d2b-77ce-40d0-8aa7-eaa58716089e</td>\n",
 917 |        "      <td>b7ea75f8df3c</td>\n",
 918 |        "    </tr>\n",
 919 |        "    <tr>\n",
 920 |        "      <th>76</th>\n",
 921 |        "      <td>1681779752.302649</td>\n",
 922 |        "      <td>90944</td>\n",
 923 |        "      <td>testing_rownum90944</td>\n",
 924 |        "      <td>32efbd2f-ffe9-460b-91af-b51fac459b1c</td>\n",
 925 |        "      <td>b7ea75f8df3c</td>\n",
 926 |        "    </tr>\n",
 927 |        "    <tr>\n",
 928 |        "      <th>77</th>\n",
 929 |        "      <td>1681779752.301268</td>\n",
 930 |        "      <td>90943</td>\n",
 931 |        "      <td>testing_rownum90943</td>\n",
 932 |        "      <td>92895835-df19-4737-8037-b86cb7d90fb3</td>\n",
 933 |        "      <td>b7ea75f8df3c</td>\n",
 934 |        "    </tr>\n",
 935 |        "    <tr>\n",
 936 |        "      <th>78</th>\n",
 937 |        "      <td>1681779752.30011</td>\n",
 938 |        "      <td>90942</td>\n",
 939 |        "      <td>testing_rownum90942</td>\n",
 940 |        "      <td>a00db8ab-393e-4c50-82c4-c1710cda362b</td>\n",
 941 |        "      <td>b7ea75f8df3c</td>\n",
 942 |        "    </tr>\n",
 943 |        "    <tr>\n",
 944 |        "      <th>79</th>\n",
 945 |        "      <td>1681779752.298814</td>\n",
 946 |        "      <td>90941</td>\n",
 947 |        "      <td>testing_rownum90941</td>\n",
 948 |        "      <td>39f9b0b8-b736-4bff-9ee4-6f1b183374a2</td>\n",
 949 |        "      <td>b7ea75f8df3c</td>\n",
 950 |        "    </tr>\n",
 951 |        "    <tr>\n",
 952 |        "      <th>80</th>\n",
 953 |        "      <td>1681779752.297452</td>\n",
 954 |        "      <td>90940</td>\n",
 955 |        "      <td>testing_rownum90940</td>\n",
 956 |        "      <td>88b32f13-b0f5-4343-95e1-f187c8096493</td>\n",
 957 |        "      <td>b7ea75f8df3c</td>\n",
 958 |        "    </tr>\n",
 959 |        "    <tr>\n",
 960 |        "      <th>81</th>\n",
 961 |        "      <td>1681779752.296146</td>\n",
 962 |        "      <td>90939</td>\n",
 963 |        "      <td>testing_rownum90939</td>\n",
 964 |        "      <td>1533db32-9a9b-45cd-9cb6-0fc362e77f83</td>\n",
 965 |        "      <td>b7ea75f8df3c</td>\n",
 966 |        "    </tr>\n",
 967 |        "    <tr>\n",
 968 |        "      <th>82</th>\n",
 969 |        "      <td>1681779752.294786</td>\n",
 970 |        "      <td>90938</td>\n",
 971 |        "      <td>testing_rownum90938</td>\n",
 972 |        "      <td>e12176e7-96db-48c3-af63-18d35c437792</td>\n",
 973 |        "      <td>b7ea75f8df3c</td>\n",
 974 |        "    </tr>\n",
 975 |        "    <tr>\n",
 976 |        "      <th>83</th>\n",
 977 |        "      <td>1681779752.293403</td>\n",
 978 |        "      <td>90937</td>\n",
 979 |        "      <td>testing_rownum90937</td>\n",
 980 |        "      <td>38b765f9-2d39-40d0-bd1a-d5ac88a1ad65</td>\n",
 981 |        "      <td>b7ea75f8df3c</td>\n",
 982 |        "    </tr>\n",
 983 |        "    <tr>\n",
 984 |        "      <th>84</th>\n",
 985 |        "      <td>1681779752.2922</td>\n",
 986 |        "      <td>90936</td>\n",
 987 |        "      <td>testing_rownum90936</td>\n",
 988 |        "      <td>16fad467-4fed-41b1-8023-8191415a1e77</td>\n",
 989 |        "      <td>b7ea75f8df3c</td>\n",
 990 |        "    </tr>\n",
 991 |        "    <tr>\n",
 992 |        "      <th>85</th>\n",
 993 |        "      <td>1681779752.2908</td>\n",
 994 |        "      <td>90935</td>\n",
 995 |        "      <td>testing_rownum90935</td>\n",
 996 |        "      <td>b91fcd81-e115-4da5-b9cf-159df92fd4ae</td>\n",
 997 |        "      <td>b7ea75f8df3c</td>\n",
 998 |        "    </tr>\n",
 999 |        "    <tr>\n",
1000 |        "      <th>86</th>\n",
1001 |        "      <td>1681779752.289333</td>\n",
1002 |        "      <td>90934</td>\n",
1003 |        "      <td>testing_rownum90934</td>\n",
1004 |        "      <td>b37f9cda-cdeb-4eb7-a987-38acb30dca7b</td>\n",
1005 |        "      <td>b7ea75f8df3c</td>\n",
1006 |        "    </tr>\n",
1007 |        "    <tr>\n",
1008 |        "      <th>87</th>\n",
1009 |        "      <td>1681779752.287949</td>\n",
1010 |        "      <td>90933</td>\n",
1011 |        "      <td>testing_rownum90933</td>\n",
1012 |        "      <td>1407d30e-829d-4532-89b5-19883a1b06b8</td>\n",
1013 |        "      <td>b7ea75f8df3c</td>\n",
1014 |        "    </tr>\n",
1015 |        "    <tr>\n",
1016 |        "      <th>88</th>\n",
1017 |        "      <td>1681779752.286586</td>\n",
1018 |        "      <td>90932</td>\n",
1019 |        "      <td>testing_rownum90932</td>\n",
1020 |        "      <td>74674bb6-092d-4063-a652-09dd7acb3614</td>\n",
1021 |        "      <td>b7ea75f8df3c</td>\n",
1022 |        "    </tr>\n",
1023 |        "    <tr>\n",
1024 |        "      <th>89</th>\n",
1025 |        "      <td>1681779752.28522</td>\n",
1026 |        "      <td>90931</td>\n",
1027 |        "      <td>testing_rownum90931</td>\n",
1028 |        "      <td>7cb2e4d8-8ba1-439a-b5d1-8d350892b1d7</td>\n",
1029 |        "      <td>b7ea75f8df3c</td>\n",
1030 |        "    </tr>\n",
1031 |        "    <tr>\n",
1032 |        "      <th>90</th>\n",
1033 |        "      <td>1681779752.283851</td>\n",
1034 |        "      <td>90930</td>\n",
1035 |        "      <td>testing_rownum90930</td>\n",
1036 |        "      <td>0ae0dac1-ee25-4132-b0b1-ba32ef035a86</td>\n",
1037 |        "      <td>b7ea75f8df3c</td>\n",
1038 |        "    </tr>\n",
1039 |        "    <tr>\n",
1040 |        "      <th>91</th>\n",
1041 |        "      <td>1681779752.282428</td>\n",
1042 |        "      <td>90929</td>\n",
1043 |        "      <td>testing_rownum90929</td>\n",
1044 |        "      <td>20d37721-a2f4-4a1e-856a-372fa0c494c8</td>\n",
1045 |        "      <td>b7ea75f8df3c</td>\n",
1046 |        "    </tr>\n",
1047 |        "    <tr>\n",
1048 |        "      <th>92</th>\n",
1049 |        "      <td>1681779752.281108</td>\n",
1050 |        "      <td>90928</td>\n",
1051 |        "      <td>testing_rownum90928</td>\n",
1052 |        "      <td>23bc07f9-5347-4e18-9859-f8c27c139807</td>\n",
1053 |        "      <td>b7ea75f8df3c</td>\n",
1054 |        "    </tr>\n",
1055 |        "    <tr>\n",
1056 |        "      <th>93</th>\n",
1057 |        "      <td>1681779752.279815</td>\n",
1058 |        "      <td>90927</td>\n",
1059 |        "      <td>testing_rownum90927</td>\n",
1060 |        "      <td>efc6ada0-ed11-497d-974d-c9d98af60bbf</td>\n",
1061 |        "      <td>b7ea75f8df3c</td>\n",
1062 |        "    </tr>\n",
1063 |        "    <tr>\n",
1064 |        "      <th>94</th>\n",
1065 |        "      <td>1681779752.278495</td>\n",
1066 |        "      <td>90926</td>\n",
1067 |        "      <td>testing_rownum90926</td>\n",
1068 |        "      <td>2290da59-697e-418f-ab36-bedd2de3ce29</td>\n",
1069 |        "      <td>b7ea75f8df3c</td>\n",
1070 |        "    </tr>\n",
1071 |        "    <tr>\n",
1072 |        "      <th>95</th>\n",
1073 |        "      <td>1681779752.277374</td>\n",
1074 |        "      <td>90925</td>\n",
1075 |        "      <td>testing_rownum90925</td>\n",
1076 |        "      <td>df80d2d1-3cd2-42c3-a769-490d4b5f4d97</td>\n",
1077 |        "      <td>b7ea75f8df3c</td>\n",
1078 |        "    </tr>\n",
1079 |        "    <tr>\n",
1080 |        "      <th>96</th>\n",
1081 |        "      <td>1681779752.276065</td>\n",
1082 |        "      <td>90924</td>\n",
1083 |        "      <td>testing_rownum90924</td>\n",
1084 |        "      <td>db8ffe19-7d18-4529-9ed7-4484e4215e2b</td>\n",
1085 |        "      <td>b7ea75f8df3c</td>\n",
1086 |        "    </tr>\n",
1087 |        "    <tr>\n",
1088 |        "      <th>97</th>\n",
1089 |        "      <td>1681779752.27475</td>\n",
1090 |        "      <td>90923</td>\n",
1091 |        "      <td>testing_rownum90923</td>\n",
1092 |        "      <td>d069dacd-b1e1-4ffe-bec7-16b9345863cf</td>\n",
1093 |        "      <td>b7ea75f8df3c</td>\n",
1094 |        "    </tr>\n",
1095 |        "    <tr>\n",
1096 |        "      <th>98</th>\n",
1097 |        "      <td>1681779752.273496</td>\n",
1098 |        "      <td>90922</td>\n",
1099 |        "      <td>testing_rownum90922</td>\n",
1100 |        "      <td>5aec83cf-ff0b-47c5-bc0f-2241a879e1aa</td>\n",
1101 |        "      <td>b7ea75f8df3c</td>\n",
1102 |        "    </tr>\n",
1103 |        "    <tr>\n",
1104 |        "      <th>99</th>\n",
1105 |        "      <td>1681779752.272172</td>\n",
1106 |        "      <td>90921</td>\n",
1107 |        "      <td>testing_rownum90921</td>\n",
1108 |        "      <td>4c1d9d50-1844-42e0-acd7-77aa5088b968</td>\n",
1109 |        "      <td>b7ea75f8df3c</td>\n",
1110 |        "    </tr>\n",
1111 |        "  </tbody>\n",
1112 |        "</table>\n",
1113 |        "</div>"
1114 |       ],
1115 |       "text/plain": [
1116 |        "            timestamp rownum                 desc  \\\n",
1117 |        "0   1681779752.406508  91020  testing_rownum91020   \n",
1118 |        "1   1681779752.405167  91019  testing_rownum91019   \n",
1119 |        "2   1681779752.403983  91018  testing_rownum91018   \n",
1120 |        "3   1681779752.402606  91017  testing_rownum91017   \n",
1121 |        "4   1681779752.401176  91016  testing_rownum91016   \n",
1122 |        "5   1681779752.399793  91015  testing_rownum91015   \n",
1123 |        "6   1681779752.398403  91014  testing_rownum91014   \n",
1124 |        "7   1681779752.397149  91013  testing_rownum91013   \n",
1125 |        "8    1681779752.39573  91012  testing_rownum91012   \n",
1126 |        "9   1681779752.394345  91011  testing_rownum91011   \n",
1127 |        "10  1681779752.392953  91010  testing_rownum91010   \n",
1128 |        "11  1681779752.391523  91009  testing_rownum91009   \n",
1129 |        "12  1681779752.390141  91008  testing_rownum91008   \n",
1130 |        "13  1681779752.388756  91007  testing_rownum91007   \n",
1131 |        "14  1681779752.387368  91006  testing_rownum91006   \n",
1132 |        "15  1681779752.385981  91005  testing_rownum91005   \n",
1133 |        "16  1681779752.384581  91004  testing_rownum91004   \n",
1134 |        "17  1681779752.383178  91003  testing_rownum91003   \n",
1135 |        "18  1681779752.381794  91002  testing_rownum91002   \n",
1136 |        "19  1681779752.380393  91001  testing_rownum91001   \n",
1137 |        "20  1681779752.378992  91000  testing_rownum91000   \n",
1138 |        "21  1681779752.377607  90999  testing_rownum90999   \n",
1139 |        "22  1681779752.376221  90998  testing_rownum90998   \n",
1140 |        "23  1681779752.374777  90997  testing_rownum90997   \n",
1141 |        "24  1681779752.373472  90996  testing_rownum90996   \n",
1142 |        "25  1681779752.372097  90995  testing_rownum90995   \n",
1143 |        "26  1681779752.370822  90994  testing_rownum90994   \n",
1144 |        "27  1681779752.369402  90993  testing_rownum90993   \n",
1145 |        "28  1681779752.368045  90992  testing_rownum90992   \n",
1146 |        "29  1681779752.366817  90991  testing_rownum90991   \n",
1147 |        "30  1681779752.365429  90990  testing_rownum90990   \n",
1148 |        "31  1681779752.363988  90989  testing_rownum90989   \n",
1149 |        "32  1681779752.362554  90988  testing_rownum90988   \n",
1150 |        "33  1681779752.361126  90987  testing_rownum90987   \n",
1151 |        "34  1681779752.359682  90986  testing_rownum90986   \n",
1152 |        "35  1681779752.358297  90985  testing_rownum90985   \n",
1153 |        "36   1681779752.35692  90984  testing_rownum90984   \n",
1154 |        "37  1681779752.355614  90983  testing_rownum90983   \n",
1155 |        "38  1681779752.354208  90982  testing_rownum90982   \n",
1156 |        "39  1681779752.352808  90981  testing_rownum90981   \n",
1157 |        "40  1681779752.351424  90980  testing_rownum90980   \n",
1158 |        "41  1681779752.350038  90979  testing_rownum90979   \n",
1159 |        "42  1681779752.348623  90978  testing_rownum90978   \n",
1160 |        "43  1681779752.347205  90977  testing_rownum90977   \n",
1161 |        "44  1681779752.345805  90976  testing_rownum90976   \n",
1162 |        "45  1681779752.344417  90975  testing_rownum90975   \n",
1163 |        "46  1681779752.343033  90974  testing_rownum90974   \n",
1164 |        "47  1681779752.341633  90973  testing_rownum90973   \n",
1165 |        "48  1681779752.340229  90972  testing_rownum90972   \n",
1166 |        "49  1681779752.338835  90971  testing_rownum90971   \n",
1167 |        "50  1681779752.337448  90970  testing_rownum90970   \n",
1168 |        "51  1681779752.336065  90969  testing_rownum90969   \n",
1169 |        "52  1681779752.334683  90968  testing_rownum90968   \n",
1170 |        "53  1681779752.333446  90967  testing_rownum90967   \n",
1171 |        "54  1681779752.332216  90966  testing_rownum90966   \n",
1172 |        "55  1681779752.330789  90965  testing_rownum90965   \n",
1173 |        "56  1681779752.329405  90964  testing_rownum90964   \n",
1174 |        "57  1681779752.328077  90963  testing_rownum90963   \n",
1175 |        "58  1681779752.326748  90962  testing_rownum90962   \n",
1176 |        "59  1681779752.325389  90961  testing_rownum90961   \n",
1177 |        "60   1681779752.32401  90960  testing_rownum90960   \n",
1178 |        "61  1681779752.322841  90959  testing_rownum90959   \n",
1179 |        "62  1681779752.321636  90958  testing_rownum90958   \n",
1180 |        "63  1681779752.320403  90957  testing_rownum90957   \n",
1181 |        "64  1681779752.319054  90956  testing_rownum90956   \n",
1182 |        "65  1681779752.317637  90955  testing_rownum90955   \n",
1183 |        "66  1681779752.316274  90954  testing_rownum90954   \n",
1184 |        "67  1681779752.314906  90953  testing_rownum90953   \n",
1185 |        "68  1681779752.313527  90952  testing_rownum90952   \n",
1186 |        "69  1681779752.312311  90951  testing_rownum90951   \n",
1187 |        "70   1681779752.31107  90950  testing_rownum90950   \n",
1188 |        "71  1681779752.309636  90949  testing_rownum90949   \n",
1189 |        "72  1681779752.308253  90948  testing_rownum90948   \n",
1190 |        "73  1681779752.306838  90947  testing_rownum90947   \n",
1191 |        "74  1681779752.305435  90946  testing_rownum90946   \n",
1192 |        "75  1681779752.304033  90945  testing_rownum90945   \n",
1193 |        "76  1681779752.302649  90944  testing_rownum90944   \n",
1194 |        "77  1681779752.301268  90943  testing_rownum90943   \n",
1195 |        "78   1681779752.30011  90942  testing_rownum90942   \n",
1196 |        "79  1681779752.298814  90941  testing_rownum90941   \n",
1197 |        "80  1681779752.297452  90940  testing_rownum90940   \n",
1198 |        "81  1681779752.296146  90939  testing_rownum90939   \n",
1199 |        "82  1681779752.294786  90938  testing_rownum90938   \n",
1200 |        "83  1681779752.293403  90937  testing_rownum90937   \n",
1201 |        "84    1681779752.2922  90936  testing_rownum90936   \n",
1202 |        "85    1681779752.2908  90935  testing_rownum90935   \n",
1203 |        "86  1681779752.289333  90934  testing_rownum90934   \n",
1204 |        "87  1681779752.287949  90933  testing_rownum90933   \n",
1205 |        "88  1681779752.286586  90932  testing_rownum90932   \n",
1206 |        "89   1681779752.28522  90931  testing_rownum90931   \n",
1207 |        "90  1681779752.283851  90930  testing_rownum90930   \n",
1208 |        "91  1681779752.282428  90929  testing_rownum90929   \n",
1209 |        "92  1681779752.281108  90928  testing_rownum90928   \n",
1210 |        "93  1681779752.279815  90927  testing_rownum90927   \n",
1211 |        "94  1681779752.278495  90926  testing_rownum90926   \n",
1212 |        "95  1681779752.277374  90925  testing_rownum90925   \n",
1213 |        "96  1681779752.276065  90924  testing_rownum90924   \n",
1214 |        "97   1681779752.27475  90923  testing_rownum90923   \n",
1215 |        "98  1681779752.273496  90922  testing_rownum90922   \n",
1216 |        "99  1681779752.272172  90921  testing_rownum90921   \n",
1217 |        "\n",
1218 |        "                                   uuid4          host  \n",
1219 |        "0   e6b1e205-ad10-40a9-81da-6de2a48310bf  b7ea75f8df3c  \n",
1220 |        "1   1fdf3802-c17e-4dbd-af9a-5a74beb6dac2  b7ea75f8df3c  \n",
1221 |        "2   63853418-0e82-453d-a816-d759fdb06f66  b7ea75f8df3c  \n",
1222 |        "3   f9410562-ef8a-48ce-8a20-0d700c57cead  b7ea75f8df3c  \n",
1223 |        "4   a83544f4-3640-48ac-82fa-a69ef43c83f8  b7ea75f8df3c  \n",
1224 |        "5   abc1f653-9197-48af-9c51-de3ec4cbdf60  b7ea75f8df3c  \n",
1225 |        "6   73db45e8-498b-423a-99d4-93a8987f4383  b7ea75f8df3c  \n",
1226 |        "7   dcda1ec7-2aee-47e1-83f6-380f757ac274  b7ea75f8df3c  \n",
1227 |        "8   5c78d913-36b7-4ea2-a8e1-d2f365c034bb  b7ea75f8df3c  \n",
1228 |        "9   a6089f12-9447-4098-8feb-2d1c90130ffd  b7ea75f8df3c  \n",
1229 |        "10  9285c292-a454-41e8-a4e9-87b1ba27812e  b7ea75f8df3c  \n",
1230 |        "11  78d3b3cf-494e-450e-ae3b-5270e8c29a09  b7ea75f8df3c  \n",
1231 |        "12  ea055d48-7fa1-4233-b20b-d59dfdb6608e  b7ea75f8df3c  \n",
1232 |        "13  5dd307fe-590e-4e34-b9c7-14fe264621b6  b7ea75f8df3c  \n",
1233 |        "14  0bbc9c1d-e960-4669-9533-2eeb9f44368d  b7ea75f8df3c  \n",
1234 |        "15  ea630193-d9e9-4b6f-ab53-2176ddcc58f6  b7ea75f8df3c  \n",
1235 |        "16  1461a016-4a56-4888-9a3e-e78d49856c4a  b7ea75f8df3c  \n",
1236 |        "17  52317b49-f8cc-4218-aa35-a47ecd62e568  b7ea75f8df3c  \n",
1237 |        "18  6799ef50-122c-4c73-bb70-bb55ac67de66  b7ea75f8df3c  \n",
1238 |        "19  8c71a674-ca0c-4de9-bb39-2b246dac630f  b7ea75f8df3c  \n",
1239 |        "20  33c9cfb0-d264-44e9-b173-5020beb7b3fe  b7ea75f8df3c  \n",
1240 |        "21  a535250e-3c1d-46c7-a1c3-cdebdfee7b24  b7ea75f8df3c  \n",
1241 |        "22  38b94fef-71b5-4172-99a8-2706ee362330  b7ea75f8df3c  \n",
1242 |        "23  11003d0b-e3a0-416c-af9a-eb8e1235f73e  b7ea75f8df3c  \n",
1243 |        "24  33860324-3eea-4839-9c5a-7cf166de2110  b7ea75f8df3c  \n",
1244 |        "25  ba436b9d-9082-4411-b603-658f810677ae  b7ea75f8df3c  \n",
1245 |        "26  4a4dac63-c6bc-46a1-8ad8-43c0b68e9a74  b7ea75f8df3c  \n",
1246 |        "27  8cec26a2-404e-43b7-8e1e-c672adb41cab  b7ea75f8df3c  \n",
1247 |        "28  4e48d246-2a97-4892-bf7a-f9b6b0230ee7  b7ea75f8df3c  \n",
1248 |        "29  6cc13611-669a-4ac6-a1a7-0f1ec2559d0e  b7ea75f8df3c  \n",
1249 |        "30  6bbbafda-4bbe-40f0-b46a-11186cf12e7e  b7ea75f8df3c  \n",
1250 |        "31  d3aed9f7-bc7f-4d41-b4d2-0598a0af2dee  b7ea75f8df3c  \n",
1251 |        "32  7068ee2c-25c2-44a1-bff3-f62c3edb2cd2  b7ea75f8df3c  \n",
1252 |        "33  ec051770-480e-4547-97c8-499cd48bafe6  b7ea75f8df3c  \n",
1253 |        "34  26c41209-b5a0-475c-8cc9-33e3ca0e9da9  b7ea75f8df3c  \n",
1254 |        "35  9acc54f9-bec8-4569-b553-d0d428fb9d58  b7ea75f8df3c  \n",
1255 |        "36  958216ac-9583-4428-b1d8-f565596a833f  b7ea75f8df3c  \n",
1256 |        "37  f9128fe4-cd8c-4556-b660-a0ae9c542262  b7ea75f8df3c  \n",
1257 |        "38  460c77e6-dd96-4b42-be80-60a1e86427d5  b7ea75f8df3c  \n",
1258 |        "39  0f240d33-23d5-4320-b7a4-073dc2b8f361  b7ea75f8df3c  \n",
1259 |        "40  687b894e-0961-4a9d-bfaf-ad7bac60468a  b7ea75f8df3c  \n",
1260 |        "41  970bf2e6-e344-4e1a-a8de-d289ecb85a36  b7ea75f8df3c  \n",
1261 |        "42  2b9cf05a-f8c1-4da1-80f6-93204be6c2d8  b7ea75f8df3c  \n",
1262 |        "43  c9d59855-0363-45d4-8cff-c72d631e4b99  b7ea75f8df3c  \n",
1263 |        "44  4c39cb21-a981-4802-bee3-04a44a0d48e3  b7ea75f8df3c  \n",
1264 |        "45  85214d7e-b933-4081-af84-10c0c5b8e37d  b7ea75f8df3c  \n",
1265 |        "46  ec60e11b-8e08-437c-8c73-cb0e8bd4dc41  b7ea75f8df3c  \n",
1266 |        "47  e1224ee0-a8cb-46d4-ae9b-b9daab5e394f  b7ea75f8df3c  \n",
1267 |        "48  8f7d1802-743d-4d4a-8a23-860e2613055f  b7ea75f8df3c  \n",
1268 |        "49  3e96d2fb-e771-4b47-8e81-1cab2e9b6271  b7ea75f8df3c  \n",
1269 |        "50  77b6440d-c899-4ff1-9a7f-a8d77f485ed2  b7ea75f8df3c  \n",
1270 |        "51  a7d68e3d-a78f-407c-827d-362b789257b5  b7ea75f8df3c  \n",
1271 |        "52  78a0421c-99f6-40cd-a903-1ea72464b0ce  b7ea75f8df3c  \n",
1272 |        "53  505b326f-997d-446d-ad04-ceb0d98a8708  b7ea75f8df3c  \n",
1273 |        "54  adbfbba2-9415-4381-8c05-4d34bdcc914a  b7ea75f8df3c  \n",
1274 |        "55  3517ba74-2e00-4bf2-a42b-20e0d764b811  b7ea75f8df3c  \n",
1275 |        "56  95f3c4a0-f0c6-44be-88ec-8cad8cc1fbf2  b7ea75f8df3c  \n",
1276 |        "57  ad693222-f6ee-4f45-8b37-6a78bc72a7d6  b7ea75f8df3c  \n",
1277 |        "58  01b6f4f2-db3f-48a9-b0ea-ded53ecc9bb0  b7ea75f8df3c  \n",
1278 |        "59  2218a2ee-3838-4fed-83f3-f571d7330c1f  b7ea75f8df3c  \n",
1279 |        "60  1fdeb5de-8c16-4e31-a19c-0ece227f75a0  b7ea75f8df3c  \n",
1280 |        "61  3d4a5628-f467-4a54-8966-f30d057d1060  b7ea75f8df3c  \n",
1281 |        "62  9d4cedfa-70db-4710-88f3-9b1f17238549  b7ea75f8df3c  \n",
1282 |        "63  eec23ddf-0d2e-41b3-b387-b1c7e09606b4  b7ea75f8df3c  \n",
1283 |        "64  01762a20-edb8-4531-8b47-feedbe22b565  b7ea75f8df3c  \n",
1284 |        "65  5d9c83ea-5571-4248-a280-a084f21216e7  b7ea75f8df3c  \n",
1285 |        "66  60c1af52-657d-4c46-baa5-4df7d105264a  b7ea75f8df3c  \n",
1286 |        "67  12ab0219-f3a4-4581-a3e5-3a8703483a0d  b7ea75f8df3c  \n",
1287 |        "68  9b346382-e195-4985-828f-1aa4e6c4a109  b7ea75f8df3c  \n",
1288 |        "69  84d200f7-61d2-4ee6-a4ca-969c7056040a  b7ea75f8df3c  \n",
1289 |        "70  98ae2425-697f-46f5-8b80-0cb6d53e904a  b7ea75f8df3c  \n",
1290 |        "71  8152b663-9cbe-44f2-a499-1d1c8328398e  b7ea75f8df3c  \n",
1291 |        "72  e16ceff5-f9d7-45f8-8aa9-702930a52d4b  b7ea75f8df3c  \n",
1292 |        "73  6c821b9b-91d8-427e-9fc2-aa4b493b2fe5  b7ea75f8df3c  \n",
1293 |        "74  da396819-e679-4d53-bacc-a39e1c812996  b7ea75f8df3c  \n",
1294 |        "75  39df1d2b-77ce-40d0-8aa7-eaa58716089e  b7ea75f8df3c  \n",
1295 |        "76  32efbd2f-ffe9-460b-91af-b51fac459b1c  b7ea75f8df3c  \n",
1296 |        "77  92895835-df19-4737-8037-b86cb7d90fb3  b7ea75f8df3c  \n",
1297 |        "78  a00db8ab-393e-4c50-82c4-c1710cda362b  b7ea75f8df3c  \n",
1298 |        "79  39f9b0b8-b736-4bff-9ee4-6f1b183374a2  b7ea75f8df3c  \n",
1299 |        "80  88b32f13-b0f5-4343-95e1-f187c8096493  b7ea75f8df3c  \n",
1300 |        "81  1533db32-9a9b-45cd-9cb6-0fc362e77f83  b7ea75f8df3c  \n",
1301 |        "82  e12176e7-96db-48c3-af63-18d35c437792  b7ea75f8df3c  \n",
1302 |        "83  38b765f9-2d39-40d0-bd1a-d5ac88a1ad65  b7ea75f8df3c  \n",
1303 |        "84  16fad467-4fed-41b1-8023-8191415a1e77  b7ea75f8df3c  \n",
1304 |        "85  b91fcd81-e115-4da5-b9cf-159df92fd4ae  b7ea75f8df3c  \n",
1305 |        "86  b37f9cda-cdeb-4eb7-a987-38acb30dca7b  b7ea75f8df3c  \n",
1306 |        "87  1407d30e-829d-4532-89b5-19883a1b06b8  b7ea75f8df3c  \n",
1307 |        "88  74674bb6-092d-4063-a652-09dd7acb3614  b7ea75f8df3c  \n",
1308 |        "89  7cb2e4d8-8ba1-439a-b5d1-8d350892b1d7  b7ea75f8df3c  \n",
1309 |        "90  0ae0dac1-ee25-4132-b0b1-ba32ef035a86  b7ea75f8df3c  \n",
1310 |        "91  20d37721-a2f4-4a1e-856a-372fa0c494c8  b7ea75f8df3c  \n",
1311 |        "92  23bc07f9-5347-4e18-9859-f8c27c139807  b7ea75f8df3c  \n",
1312 |        "93  efc6ada0-ed11-497d-974d-c9d98af60bbf  b7ea75f8df3c  \n",
1313 |        "94  2290da59-697e-418f-ab36-bedd2de3ce29  b7ea75f8df3c  \n",
1314 |        "95  df80d2d1-3cd2-42c3-a769-490d4b5f4d97  b7ea75f8df3c  \n",
1315 |        "96  db8ffe19-7d18-4529-9ed7-4484e4215e2b  b7ea75f8df3c  \n",
1316 |        "97  d069dacd-b1e1-4ffe-bec7-16b9345863cf  b7ea75f8df3c  \n",
1317 |        "98  5aec83cf-ff0b-47c5-bc0f-2241a879e1aa  b7ea75f8df3c  \n",
1318 |        "99  4c1d9d50-1844-42e0-acd7-77aa5088b968  b7ea75f8df3c  "
1319 |       ]
1320 |      },
1321 |      "execution_count": 26,
1322 |      "metadata": {},
1323 |      "output_type": "execute_result"
1324 |     }
1325 |    ],
1326 |    "source": [
1327 |     "result_df"
1328 |    ]
1329 |   },
1330 |   {
1331 |    "cell_type": "code",
1332 |    "execution_count": null,
1333 |    "metadata": {},
1334 |    "outputs": [],
1335 |    "source": []
1336 |   }
1337 |  ],
1338 |  "metadata": {
1339 |   "kernelspec": {
1340 |    "display_name": "Python 3",
1341 |    "language": "python",
1342 |    "name": "python3"
1343 |   },
1344 |   "language_info": {
1345 |    "codemirror_mode": {
1346 |     "name": "ipython",
1347 |     "version": 3
1348 |    },
1349 |    "file_extension": ".py",
1350 |    "mimetype": "text/x-python",
1351 |    "name": "python",
1352 |    "nbconvert_exporter": "python",
1353 |    "pygments_lexer": "ipython3",
1354 |    "version": "3.9.5"
1355 |   },
1356 |   "orig_nbformat": 4
1357 |  },
1358 |  "nbformat": 4,
1359 |  "nbformat_minor": 2
1360 | }
1361 | 


--------------------------------------------------------------------------------
/qp_splunk_poc_bugfix/msticpy_splunk_9_0_4_reader_merged.ipynb:
--------------------------------------------------------------------------------
  1 | {
  2 |  "cells": [
  3 |   {
  4 |    "attachments": {},
  5 |    "cell_type": "markdown",
  6 |    "metadata": {},
  7 |    "source": [
  8 |     "### Test for docker Splunk latest 9.0.4"
  9 |    ]
 10 |   },
 11 |   {
 12 |    "cell_type": "code",
 13 |    "execution_count": 13,
 14 |    "metadata": {},
 15 |    "outputs": [
 16 |     {
 17 |      "name": "stdout",
 18 |      "output_type": "stream",
 19 |      "text": [
 20 |       "Tue Apr 25 05:41:04 JST 2023\n",
 21 |       "Python 3.9.5\n",
 22 |       "sys.version\n",
 23 |       " 3.9.5 (default, Jun  7 2021, 16:27:44) \n",
 24 |       "[Clang 12.0.5 (clang-1205.0.22.9)]\n"
 25 |      ]
 26 |     }
 27 |    ],
 28 |    "source": [
 29 |     "!date\n",
 30 |     "!python -V # check if python version is later than 3.8\n",
 31 |     "\n",
 32 |     "import sys\n",
 33 |     "print(\"sys.version\\n\",sys.version)"
 34 |    ]
 35 |   },
 36 |   {
 37 |    "cell_type": "code",
 38 |    "execution_count": 14,
 39 |    "metadata": {},
 40 |    "outputs": [
 41 |     {
 42 |      "name": "stdout",
 43 |      "output_type": "stream",
 44 |      "text": [
 45 |       "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n",
 46 |       "<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->\n",
 47 |       "<?xml-stylesheet type=\"text/xml\" href=\"/static/atom.xsl\"?>\n",
 48 |       "<feed xmlns=\"http://www.w3.org/2005/Atom\" xmlns:s=\"http://dev.splunk.com/ns/rest\">\n",
 49 |       "  <title>splunkd</title>\n",
 50 |       "  <id>https://localhost:8089/</id>\n",
 51 |       "  <updated>2023-04-24T20:41:06+00:00</updated>\n",
 52 |       "  <generator build=\"de405f4a7979\" version=\"9.0.4\"/>\n",
 53 |       "  <author>\n",
 54 |       "    <name>Splunk</name>\n",
 55 |       "  </author>\n",
 56 |       "  <entry>\n",
 57 |       "    <title>rpc</title>\n",
 58 |       "    <id>https://localhost:8089/rpc</id>\n",
 59 |       "    <updated>1970-01-01T00:00:00+00:00</updated>\n",
 60 |       "    <link href=\"/rpc\" rel=\"alternate\"/>\n",
 61 |       "  </entry>\n",
 62 |       "  <entry>\n",
 63 |       "    <title>services</title>\n",
 64 |       "    <id>https://localhost:8089/services</id>\n",
 65 |       "    <updated>1970-01-01T00:00:00+00:00</updated>\n",
 66 |       "    <link href=\"/services\" rel=\"alternate\"/>\n",
 67 |       "  </entry>\n",
 68 |       "  <entry>\n",
 69 |       "    <title>servicesNS</title>\n",
 70 |       "    <id>https://localhost:8089/servicesNS</id>\n",
 71 |       "    <updated>1970-01-01T00:00:00+00:00</updated>\n",
 72 |       "    <link href=\"/servicesNS\" rel=\"alternate\"/>\n",
 73 |       "  </entry>\n",
 74 |       "  <entry>\n",
 75 |       "    <title>static</title>\n",
 76 |       "    <id>https://localhost:8089/static</id>\n",
 77 |       "    <updated>1970-01-01T00:00:00+00:00</updated>\n",
 78 |       "    <link href=\"/static\" rel=\"alternate\"/>\n",
 79 |       "  </entry>\n",
 80 |       "</feed>\n"
 81 |      ]
 82 |     }
 83 |    ],
 84 |    "source": [
 85 |     "\n",
 86 |     "# check the splunk version via REST API\n",
 87 |     "!curl https://localhost:8089 -k\n"
 88 |    ]
 89 |   },
 90 |   {
 91 |    "cell_type": "code",
 92 |    "execution_count": 16,
 93 |    "metadata": {},
 94 |    "outputs": [
 95 |     {
 96 |      "name": "stdout",
 97 |      "output_type": "stream",
 98 |      "text": [
 99 |       "2.4.0\n"
100 |      ]
101 |     }
102 |    ],
103 |    "source": [
104 |     "import msticpy as mp\n",
105 |     "print(mp.__version__)"
106 |    ]
107 |   },
108 |   {
109 |    "cell_type": "code",
110 |    "execution_count": 17,
111 |    "metadata": {},
112 |    "outputs": [
113 |     {
114 |      "name": "stderr",
115 |      "output_type": "stream",
116 |      "text": [
117 |       "2023-04-25 05:41:31,410: WARNING - config validation error Missing or empty 'AzureSentinel' section (nbinit#697)\n",
118 |       "2023-04-25 05:41:31,410: WARNING - Could not find msticpyconfig.yaml in standard search. (nbinit#710)\n"
119 |      ]
120 |     },
121 |     {
122 |      "data": {
123 |       "text/html": [
124 |        "<p style=''><font color='orange'><h3>Notebook setup completed with some warnings.</h3></p>"
125 |       ],
126 |       "text/plain": [
127 |        "<IPython.core.display.HTML object>"
128 |       ]
129 |      },
130 |      "metadata": {},
131 |      "output_type": "display_data"
132 |     },
133 |     {
134 |      "data": {
135 |       "text/html": [
136 |        "<p style=''>One or more configuration items were missing or set incorrectly.</p>"
137 |       ],
138 |       "text/plain": [
139 |        "<IPython.core.display.HTML object>"
140 |       ]
141 |      },
142 |      "metadata": {},
143 |      "output_type": "display_data"
144 |     },
145 |     {
146 |      "data": {
147 |       "text/html": [
148 |        "<p style=''>Please run the <i>Getting Started Guide for Azure Sentinel ML Notebooks</i> notebook. and the <a href='https://msticpy.readthedocs.io/en/latest/getting_started/msticpyconfig.html'>msticpy configuration guide</a>.</p>"
149 |       ],
150 |       "text/plain": [
151 |        "<IPython.core.display.HTML object>"
152 |       ]
153 |      },
154 |      "metadata": {},
155 |      "output_type": "display_data"
156 |     },
157 |     {
158 |      "data": {
159 |       "text/html": [
160 |        "<p style=''>This notebook may still run but with reduced functionality.</p>"
161 |       ],
162 |       "text/plain": [
163 |        "<IPython.core.display.HTML object>"
164 |       ]
165 |      },
166 |      "metadata": {},
167 |      "output_type": "display_data"
168 |     }
169 |    ],
170 |    "source": [
171 |     "mp.init_notebook()"
172 |    ]
173 |   },
174 |   {
175 |    "cell_type": "code",
176 |    "execution_count": 18,
177 |    "metadata": {},
178 |    "outputs": [
179 |     {
180 |      "name": "stdout",
181 |      "output_type": "stream",
182 |      "text": [
183 |       "connected\n"
184 |      ]
185 |     }
186 |    ],
187 |    "source": [
188 |     "splunk_prov = mp.QueryProvider(\"Splunk\")\n",
189 |     "splunk_prov.connect()"
190 |    ]
191 |   },
192 |   {
193 |    "cell_type": "code",
194 |    "execution_count": 19,
195 |    "metadata": {},
196 |    "outputs": [
197 |     {
198 |      "name": "stdout",
199 |      "output_type": "stream",
200 |      "text": [
201 |       "Query:  get_events_parameterized\n",
202 |       "Data source:  Splunk\n",
203 |       "Generic parameterized query from index/source\n",
204 |       "\n",
205 |       "Parameters\n",
206 |       "----------\n",
207 |       "add_query_items: str (optional)\n",
208 |       "    Additional query clauses\n",
209 |       "    (default value is: | head 100)\n",
210 |       "end: datetime\n",
211 |       "    Query end time\n",
212 |       "index: str (optional)\n",
213 |       "    Splunk index name\n",
214 |       "    (default value is: *)\n",
215 |       "project_fields: str (optional)\n",
216 |       "    Project Field names\n",
217 |       "    (default value is: | table TimeCreated, host, EventID, EventDescripti...)\n",
218 |       "source: str (optional)\n",
219 |       "    Splunk source type\n",
220 |       "    (default value is: *)\n",
221 |       "start: datetime\n",
222 |       "    Query start time\n",
223 |       "timeformat: str (optional)\n",
224 |       "    Datetime format to use in Splunk query\n",
225 |       "    (default value is: \"%Y-%m-%d %H:%M:%S.%6N\")\n",
226 |       "Query:\n",
227 |       " search index={index} source={source} timeformat={timeformat} earliest={start} latest={end} {project_fields} {add_query_items}\n"
228 |      ]
229 |     }
230 |    ],
231 |    "source": [
232 |     "splunk_prov.SplunkGeneral.get_events_parameterized('?')\n"
233 |    ]
234 |   },
235 |   {
236 |    "cell_type": "code",
237 |    "execution_count": 20,
238 |    "metadata": {},
239 |    "outputs": [
240 |     {
241 |      "data": {
242 |       "text/plain": [
243 |        "' search index=msticpy source=msticpy_splunk_reader_paging-test.csv timeformat=\"%Y-%m-%d %H:%M:%S.%6N\" earliest=\"2023-04-17 00:00:00\" latest=\"2023-04-19 10:00:00\" | table timestamp,rownum, desc, uuid4, host '"
244 |       ]
245 |      },
246 |      "execution_count": 20,
247 |      "metadata": {},
248 |      "output_type": "execute_result"
249 |     }
250 |    ],
251 |    "source": [
252 |     "splunk_prov.SplunkGeneral.get_events_parameterized('print',\n",
253 |     "    index=\"msticpy\",\n",
254 |     "    source=\"msticpy_splunk_reader_paging-test.csv\",\n",
255 |     "    project_fields=\"| table timestamp,rownum, desc, uuid4, host\",\n",
256 |     "    start=\"2023-04-17 00:00:00.000000\",\n",
257 |     "    end=\"2023-04-19 10:00:00.000000\",    \n",
258 |     "    add_query_items='',\n",
259 |     "    count=0\n",
260 |     ")\n",
261 |     "\n"
262 |    ]
263 |   },
264 |   {
265 |    "cell_type": "code",
266 |    "execution_count": 21,
267 |    "metadata": {},
268 |    "outputs": [
269 |     {
270 |      "name": "stderr",
271 |      "output_type": "stream",
272 |      "text": [
273 |       "Waiting Splunk job to complete: 200.0it [00:01, 195.71it/s]                        \n",
274 |       "Waiting Splunk result to retrieve: 200000it [00:31, 6449.36it/s]                           \n"
275 |      ]
276 |     },
277 |     {
278 |      "data": {
279 |       "text/plain": [
280 |        "100000"
281 |       ]
282 |      },
283 |      "execution_count": 21,
284 |      "metadata": {},
285 |      "output_type": "execute_result"
286 |     }
287 |    ],
288 |    "source": [
289 |     "\n",
290 |     "result_df = splunk_prov.SplunkGeneral.get_events_parameterized(\n",
291 |     "    index=\"msticpy\",\n",
292 |     "    source=\"msticpy_splunk_reader_paging-test.csv\",\n",
293 |     "    project_fields=\"| table timestamp,rownum, desc, uuid4, host\",\n",
294 |     "    start=\"2023-04-17 00:00:00.000000\",\n",
295 |     "    end=\"2023-04-19 10:00:00.000000\",    \n",
296 |     "    add_query_items='',\n",
297 |     "    count=0\n",
298 |     ")\n",
299 |     "len(result_df)"
300 |    ]
301 |   },
302 |   {
303 |    "cell_type": "code",
304 |    "execution_count": 22,
305 |    "metadata": {},
306 |    "outputs": [
307 |     {
308 |      "name": "stderr",
309 |      "output_type": "stream",
310 |      "text": [
311 |       "Waiting Splunk job to complete: 200.0it [00:01, 195.50it/s]                        \n",
312 |       "Waiting Splunk result to retrieve: 200000it [00:00, 253958.21it/s]                            \n"
313 |      ]
314 |     },
315 |     {
316 |      "data": {
317 |       "text/plain": [
318 |        "100000"
319 |       ]
320 |      },
321 |      "execution_count": 22,
322 |      "metadata": {},
323 |      "output_type": "execute_result"
324 |     }
325 |    ],
326 |    "source": [
327 |     "\n",
328 |     "result_df = splunk_prov.SplunkGeneral.get_events_parameterized(\n",
329 |     "    index=\"msticpy\",\n",
330 |     "    source=\"msticpy_splunk_reader_paging-test.csv\",\n",
331 |     "    project_fields=\"| table timestamp,rownum, desc, uuid4, host\",\n",
332 |     "    start=\"2023-04-17 00:00:00.000000\",\n",
333 |     "    end=\"2023-04-19 10:00:00.000000\",    \n",
334 |     "    add_query_items='',\n",
335 |     "    count=0,\n",
336 |     "    page_size=10000\n",
337 |     ")\n",
338 |     "len(result_df)"
339 |    ]
340 |   },
341 |   {
342 |    "cell_type": "code",
343 |    "execution_count": null,
344 |    "metadata": {},
345 |    "outputs": [],
346 |    "source": []
347 |   }
348 |  ],
349 |  "metadata": {
350 |   "kernelspec": {
351 |    "display_name": "Python 3",
352 |    "language": "python",
353 |    "name": "python3"
354 |   },
355 |   "language_info": {
356 |    "codemirror_mode": {
357 |     "name": "ipython",
358 |     "version": 3
359 |    },
360 |    "file_extension": ".py",
361 |    "mimetype": "text/x-python",
362 |    "name": "python",
363 |    "nbconvert_exporter": "python",
364 |    "pygments_lexer": "ipython3",
365 |    "version": "3.9.12"
366 |   },
367 |   "orig_nbformat": 4
368 |  },
369 |  "nbformat": 4,
370 |  "nbformat_minor": 2
371 | }
372 | 


--------------------------------------------------------------------------------
/splunk_dsdl/README.md:
--------------------------------------------------------------------------------
1 | <img width="1512" alt="splunk_dsdl" src="https://github.com/Tatsuya-hasegawa/MSTICPy_utils/assets/40039738/a81ae1f5-16d8-4346-be83-a38040eae618">
2 | 
3 | <img width="1512" alt="powershell_cmdline_usecase" src="https://github.com/Tatsuya-hasegawa/MSTICPy_utils/assets/40039738/eb1945ac-4696-403d-9838-ef0208c5a5fc">
4 | 
5 | <img width="1512" alt="fitapply_result" src="https://github.com/Tatsuya-hasegawa/MSTICPy_utils/assets/40039738/f996a11e-c1b8-42c2-a0e7-b5ee300a9524">
6 | 


--------------------------------------------------------------------------------
/splunk_dsdl/msticpy_powershell_ioc.ipynb:
--------------------------------------------------------------------------------
  1 | {
  2 |  "cells": [
  3 |   {
  4 |    "attachments": {},
  5 |    "cell_type": "markdown",
  6 |    "metadata": {},
  7 |    "source": [
  8 |     "# [msticpy] ParentCommandLine powershell - base64 decode & ioc extraction"
  9 |    ]
 10 |   },
 11 |   {
 12 |    "attachments": {},
 13 |    "cell_type": "markdown",
 14 |    "metadata": {},
 15 |    "source": [
 16 |     "## Preparation for install msticpy\n",
 17 |     "\n",
 18 |     "Example of phdrieger/mltk-container-golden-image-cpu:5.1.0 container:\n",
 19 |     "\n",
 20 |     "$ mkdir /srv/app/model/customlib\n",
 21 |     "\n",
 22 |     "$ pip install msticpy -t /srv/app/model/customlib"
 23 |    ]
 24 |   },
 25 |   {
 26 |    "attachments": {},
 27 |    "cell_type": "markdown",
 28 |    "metadata": {},
 29 |    "source": [
 30 |     "## Stage 0 - import libraries\n",
 31 |     "At stage 0 we define all imports necessary to run our subsequent code depending on various libraries."
 32 |    ]
 33 |   },
 34 |   {
 35 |    "cell_type": "code",
 36 |    "execution_count": 23,
 37 |    "metadata": {
 38 |     "deletable": false,
 39 |     "name": "mltkc_import"
 40 |    },
 41 |    "outputs": [],
 42 |    "source": [
 43 |     "# this definition exposes all python module imports that should be available in all subsequent commands\n",
 44 |     "import json\n",
 45 |     "import numpy as np\n",
 46 |     "import pandas as pd\n",
 47 |     "import os\n",
 48 |     "import sys,os.path\n",
 49 |     "sys.path.insert(0,\"/srv/app/model/customlib\")\n",
 50 |     "import msticpy as mp\n",
 51 |     "\n",
 52 |     "# ...\n",
 53 |     "# global constants\n",
 54 |     "MODEL_DIRECTORY = \"/srv/app/model/data/\"\n",
 55 |     "\n",
 56 |     "# define the algorism name and model name\n",
 57 |     "algo_name = \"msticpy_powershell_ioc\"\n",
 58 |     "model_name = \"process_b64_iocs_enrich\""
 59 |    ]
 60 |   },
 61 |   {
 62 |    "attachments": {},
 63 |    "cell_type": "markdown",
 64 |    "metadata": {},
 65 |    "source": [
 66 |     "## Stage 1 - get a data sample from Splunk\n",
 67 |     "There are currently 2 ways to retrieve data from Splunk: Option 1 is to interactively pull data from Splunk into the DSDL Jupyter Lab environment. This is useful when the Splunk REST API is accessible from the Jupyter environment and a valid Splunk auth token is defined in the DSDL app. This option has advantages to quickly experiment with different Splunk SPL queries and further interactively work with the search results in Jupyter.\n",
 68 |     "\n",
 69 |     "### Option 1 - pull data from Splunk"
 70 |    ]
 71 |   },
 72 |   {
 73 |    "cell_type": "code",
 74 |    "execution_count": 25,
 75 |    "metadata": {},
 76 |    "outputs": [],
 77 |    "source": [
 78 |     "# NOT EXPORTED\n",
 79 |     "from dsdlsupport import SplunkSearch as SplunkSearch\n",
 80 |     "search = SplunkSearch.SplunkSearch()\n",
 81 |     "df = search.as_df()"
 82 |    ]
 83 |   },
 84 |   {
 85 |    "attachments": {},
 86 |    "cell_type": "markdown",
 87 |    "metadata": {},
 88 |    "source": [
 89 |     "### Option 2 - push data from Splunk\n",
 90 |     "In Splunk run a search to pipe a dataset into your notebook environment. You utilize the `mode=stage` flag in the in the `| fit` command to do this. The search results are accessible then as csv file with the same model name that is defined in the `into app:<modelname>` part of the fit statement. Additionally, meta data is retrieved and accessible as json file. In the same way you can further work with the meta data object as it is exposed in the fit and apply function definitions below in stage 3 and 4."
 91 |    ]
 92 |   },
 93 |   {
 94 |    "attachments": {},
 95 |    "cell_type": "markdown",
 96 |    "metadata": {},
 97 |    "source": [
 98 |     "index=botsv2 \"powershell\" \"-enc\" source=\"WinEventLog*Microsoft-Windows-Sysmon*Operational*\"<br>\n",
 99 |     "| where LIKE(ParentCommandLine,\"%powershell%-enc%\") | stats count by ParentCommandLine<br>\n",
100 |     "| fit MLTKContainer mode=stage algo=msticpy_powershell_ioc ParentCommandLine into app:process_b64_iocs_enrich<br>"
101 |    ]
102 |   },
103 |   {
104 |    "attachments": {},
105 |    "cell_type": "markdown",
106 |    "metadata": {},
107 |    "source": [
108 |     "After you run this search your data set sample is available as a csv inside the container to develop your model. The name is taken from the into keyword (\"process_b64_iocs_enrich\" in the example above) or set to \"default\" if no into keyword is present. This step is intended to work with a subset of your data to create your custom model."
109 |    ]
110 |   },
111 |   {
112 |    "cell_type": "code",
113 |    "execution_count": 2,
114 |    "metadata": {
115 |     "deletable": false,
116 |     "name": "mltkc_stage"
117 |    },
118 |    "outputs": [],
119 |    "source": [
120 |     "# this cell is not executed from MLTK and should only be used for staging data into the notebook environment\n",
121 |     "def stage(name):\n",
122 |     "    with open(\"data/\"+name+\".csv\", 'r') as f:\n",
123 |     "        df = pd.read_csv(f)\n",
124 |     "    with open(\"data/\"+name+\".json\", 'r') as f:\n",
125 |     "        param = json.load(f)\n",
126 |     "    return df, param"
127 |    ]
128 |   },
129 |   {
130 |    "cell_type": "code",
131 |    "execution_count": 3,
132 |    "metadata": {},
133 |    "outputs": [],
134 |    "source": [
135 |     "# THIS CELL IS NOT EXPORTED - free notebook cell for testing or development purposes\n",
136 |     "df, param = stage(model_name)"
137 |    ]
138 |   },
139 |   {
140 |    "cell_type": "code",
141 |    "execution_count": 30,
142 |    "metadata": {},
143 |    "outputs": [
144 |     {
145 |      "data": {
146 |       "text/plain": [
147 |        "{'options': {'params': {'mode': 'stage', 'algo': 'msticpy_powershell_ioc'},\n",
148 |        "  'args': ['ParentCommandLine'],\n",
149 |        "  'feature_variables': ['ParentCommandLine'],\n",
150 |        "  'model_name': 'process_b64_iocs_enrich',\n",
151 |        "  'algo_name': 'MLTKContainer',\n",
152 |        "  'mlspl_limits': {'handle_new_cat': 'default',\n",
153 |        "   'max_distinct_cat_values': '100',\n",
154 |        "   'max_distinct_cat_values_for_classifiers': '100',\n",
155 |        "   'max_distinct_cat_values_for_scoring': '100',\n",
156 |        "   'max_fit_time': '600',\n",
157 |        "   'max_inputs': '100000',\n",
158 |        "   'max_memory_usage_mb': '4000',\n",
159 |        "   'max_model_size_mb': '30',\n",
160 |        "   'max_score_time': '600',\n",
161 |        "   'use_sampling': 'true'},\n",
162 |        "  'kfold_cv': None},\n",
163 |        " 'feature_variables': ['ParentCommandLine']}"
164 |       ]
165 |      },
166 |      "execution_count": 30,
167 |      "metadata": {},
168 |      "output_type": "execute_result"
169 |     }
170 |    ],
171 |    "source": [
172 |     "param"
173 |    ]
174 |   },
175 |   {
176 |    "attachments": {},
177 |    "cell_type": "markdown",
178 |    "metadata": {},
179 |    "source": [
180 |     "## Stage 2 - create and initialize a model"
181 |    ]
182 |   },
183 |   {
184 |    "cell_type": "code",
185 |    "execution_count": 7,
186 |    "metadata": {
187 |     "deletable": false,
188 |     "name": "mltkc_init"
189 |    },
190 |    "outputs": [],
191 |    "source": [
192 |     "# initialize your model\n",
193 |     "# available inputs: data and parameters\n",
194 |     "# returns the model object which will be used as a reference to call fit, apply and summary subsequently\n",
195 |     "def init(df,param):\n",
196 |     "    model = {}\n",
197 |     "    model['hyperparameter'] = 0\n",
198 |     "    model['desc'] = \"msticpy ioc enrichment from process command line\"\n",
199 |     "    return model"
200 |    ]
201 |   },
202 |   {
203 |    "cell_type": "code",
204 |    "execution_count": null,
205 |    "metadata": {
206 |     "deletable": false,
207 |     "name": "mltkc_apply"
208 |    },
209 |    "outputs": [],
210 |    "source": []
211 |   },
212 |   {
213 |    "cell_type": "code",
214 |    "execution_count": 8,
215 |    "metadata": {
216 |     "scrolled": true
217 |    },
218 |    "outputs": [
219 |     {
220 |      "name": "stdout",
221 |      "output_type": "stream",
222 |      "text": [
223 |       "{'hyperparameter': 0, 'desc': 'msticpy ioc enrichment from process command line'}\n"
224 |      ]
225 |     }
226 |    ],
227 |    "source": [
228 |     "# THIS CELL IS NOT EXPORTED - free notebook cell for testing or development purposes\n",
229 |     "model = init(df,param)\n",
230 |     "print(model)"
231 |    ]
232 |   },
233 |   {
234 |    "attachments": {},
235 |    "cell_type": "markdown",
236 |    "metadata": {},
237 |    "source": [
238 |     "## fit the model"
239 |    ]
240 |   },
241 |   {
242 |    "cell_type": "code",
243 |    "execution_count": 9,
244 |    "metadata": {
245 |     "deletable": false,
246 |     "name": "mltkc_fit"
247 |    },
248 |    "outputs": [],
249 |    "source": [
250 |     "# train your model\n",
251 |     "# returns a fit info json object and may modify the model object\n",
252 |     "def fit(model,df,param):\n",
253 |     "    # model.fit()\n",
254 |     "    info = {\"message\": \"passthru model creating the model's json file\"}\n",
255 |     "    return info"
256 |    ]
257 |   },
258 |   {
259 |    "cell_type": "code",
260 |    "execution_count": 10,
261 |    "metadata": {},
262 |    "outputs": [
263 |     {
264 |      "name": "stdout",
265 |      "output_type": "stream",
266 |      "text": [
267 |       "{'message': \"passthru model creating the model's json file\"}\n"
268 |      ]
269 |     }
270 |    ],
271 |    "source": [
272 |     "# THIS CELL IS NOT EXPORTED - free notebook cell for testing or development purposes\n",
273 |     "print(fit(model,df,param))"
274 |    ]
275 |   },
276 |   {
277 |    "attachments": {},
278 |    "cell_type": "markdown",
279 |    "metadata": {},
280 |    "source": [
281 |     "## apply the model"
282 |    ]
283 |   },
284 |   {
285 |    "cell_type": "code",
286 |    "execution_count": 13,
287 |    "metadata": {},
288 |    "outputs": [],
289 |    "source": [
290 |     "# NOT EXPORTED (just for debugging)\n",
291 |     "def join_result(dec_df,ioc_input):\n",
292 |     "    for input_string, iocs in ioc_input.items():\n",
293 |     "        j=0\n",
294 |     "        while j < len(dec_df['decoded_string']):\n",
295 |     "            if dec_df['decode_validated'][j] == input_string:\n",
296 |     "                dec_df.at[dec_df.index[j], 'ioc_ipv4'] = \",\".join(iocs[\"ipv4\"])\n",
297 |     "                dec_df.at[dec_df.index[j], 'ioc_url'] = \",\".join(iocs[\"url\"])\n",
298 |     "            j+=1    \n",
299 |     "    return dec_df[[\"ParentCommandLine\",\"decode_validated\",\"ioc_ipv4\",\"ioc_url\"]]"
300 |    ]
301 |   },
302 |   {
303 |    "cell_type": "code",
304 |    "execution_count": 13,
305 |    "metadata": {},
306 |    "outputs": [],
307 |    "source": [
308 |     "# NOT EXPORTED (just for debugging)\n",
309 |     "def format_ioc(ioc_df):\n",
310 |     "    ioc_input = {}\n",
311 |     "    for row in ioc_df.itertuples():\n",
312 |     "        if not row.Input in ioc_input:\n",
313 |     "            ioc_input[row.Input] = { \"ipv4\":[],\"url\":[] }\n",
314 |     "        if row.IoCType==\"ipv4\":\n",
315 |     "            ioc_input[row.Input][\"ipv4\"].append(row.Observable)\n",
316 |     "        elif row.IoCType==\"url\":\n",
317 |     "            url = row.Observable\n",
318 |     "        elif row.IoCType==\"linux_path\" and row.Observable[0]==\"/\" and \".php\"in row.Observable.split(\";\")[0]:\n",
319 |     "            url_path = row.Observable.split(\";\")[0].rstrip(\"'\").rstrip('\"').rstrip()\n",
320 |     "            uri = url + url_path\n",
321 |     "            ioc_input[row.Input][\"url\"].append(uri)\n",
322 |     "    return ioc_input"
323 |    ]
324 |   },
325 |   {
326 |    "cell_type": "code",
327 |    "execution_count": 16,
328 |    "metadata": {},
329 |    "outputs": [],
330 |    "source": [
331 |     "# NOT EXPORTED\n",
332 |     "def extract_ioc(dec_df):\n",
333 |     "    i=0\n",
334 |     "    while i < len(dec_df[\"decoded_string\"]):\n",
335 |     "        dec_df.at[dec_df.index[i], 'decode_validated'] = dec_df[\"decoded_string\"][i].replace(\"\\x00\",\"\")\n",
336 |     "        i+=1\n",
337 |     "    ioc_df = dec_df.mp.ioc_extract(columns=['decode_validated'],include_paths=True,\\\n",
338 |     "                ioc_types=['ipv4','ipv6','dns','url','email','windows_path','linux_path','md5_hash','sha1_hash','sha256_hash'])\n",
339 |     "    return ioc_df"
340 |    ]
341 |   },
342 |   {
343 |    "cell_type": "code",
344 |    "execution_count": 21,
345 |    "metadata": {
346 |     "name": "mltkc_apply"
347 |    },
348 |    "outputs": [],
349 |    "source": [
350 |     "# apply your model\n",
351 |     "# returns the calculated results\n",
352 |     "def apply(model,df,param):  \n",
353 |     "    mp.init_notebook()\n",
354 |     "    \n",
355 |     "    # decode base64\n",
356 |     "    dec_df = mp.transform.base64unpack.unpack_df(data=df, column='ParentCommandLine')\n",
357 |     "    # remove nullbyte \\x00\n",
358 |     "    i=0\n",
359 |     "    while i < len(dec_df[\"decoded_string\"]):\n",
360 |     "        dec_df.at[dec_df.index[i], 'decode_validated'] = dec_df[\"decoded_string\"][i].replace(\"\\x00\",\"\")\n",
361 |     "        i+=1\n",
362 |     "    # extract ioc\n",
363 |     "    ioc_df = dec_df.mp.ioc_extract(columns=['decode_validated'],include_paths=True,\\\n",
364 |     "                ioc_types=['ipv4','ipv6','dns','url','email','windows_path','linux_path','md5_hash','sha1_hash','sha256_hash'])\n",
365 |     "    # format ioc to dict\n",
366 |     "    ioc_input = {}\n",
367 |     "    for row in ioc_df.itertuples():\n",
368 |     "        if not row.Input in ioc_input:\n",
369 |     "            ioc_input[row.Input] = { \"ipv4\":[],\"url\":[] }\n",
370 |     "        if row.IoCType==\"ipv4\":\n",
371 |     "            ioc_input[row.Input][\"ipv4\"].append(row.Observable)\n",
372 |     "        elif row.IoCType==\"url\":\n",
373 |     "            url = row.Observable\n",
374 |     "        elif row.IoCType==\"linux_path\" and row.Observable[0]==\"/\" and \".php\"in row.Observable.split(\";\")[0]:\n",
375 |     "            url_path = row.Observable.split(\";\")[0].rstrip(\"'\").rstrip('\"').rstrip()\n",
376 |     "            uri = url + url_path\n",
377 |     "            ioc_input[row.Input][\"url\"].append(uri)    \n",
378 |     "    \n",
379 |     "    # join result\n",
380 |     "    for input_string, iocs in ioc_input.items():\n",
381 |     "        j=0\n",
382 |     "        while j < len(dec_df['decoded_string']):\n",
383 |     "            if dec_df['decode_validated'][j] == input_string:\n",
384 |     "                dec_df.at[dec_df.index[j], 'ioc_ipv4'] = \",\".join(iocs[\"ipv4\"])\n",
385 |     "                dec_df.at[dec_df.index[j], 'ioc_url'] = \",\".join(iocs[\"url\"])\n",
386 |     "            j+=1 \n",
387 |     "    dec_ioc_df = dec_df[[\"ParentCommandLine\",\"decode_validated\",\"ioc_ipv4\",\"ioc_url\"]]\n",
388 |     "\n",
389 |     "    # ipwhois enrichment \n",
390 |     "    dec_ioc_enrich_df = dec_ioc_df.mp.whois(ip_column=\"ioc_ipv4\")        \n",
391 |     "\n",
392 |     "    return dec_ioc_enrich_df[[\"ParentCommandLine\",\"decode_validated\",\"ioc_ipv4\",\"ioc_url\",\"asn\",\"asn_country_code\",\"asn_description\"]] #dec_ioc_enrich_df_completed   \n",
393 |     "    "
394 |    ]
395 |   },
396 |   {
397 |    "cell_type": "code",
398 |    "execution_count": null,
399 |    "metadata": {},
400 |    "outputs": [],
401 |    "source": [
402 |     "# THIS CELL IS NOT EXPORTED - free notebook cell for testing or development purposes\n",
403 |     "print(apply(model,df,param))"
404 |    ]
405 |   },
406 |   {
407 |    "attachments": {},
408 |    "cell_type": "markdown",
409 |    "metadata": {},
410 |    "source": [
411 |     "## Stage 5 - save the model"
412 |    ]
413 |   },
414 |   {
415 |    "cell_type": "code",
416 |    "execution_count": 13,
417 |    "metadata": {
418 |     "deletable": false,
419 |     "name": "mltkc_save"
420 |    },
421 |    "outputs": [],
422 |    "source": [
423 |     "# save model to name in expected convention \"<algo_name>_<model_name>\"\n",
424 |     "def save(model,name):\n",
425 |     "    with open(MODEL_DIRECTORY + name + \".json\", 'w') as file:\n",
426 |     "        json.dump(model, file)\n",
427 |     "    return model"
428 |    ]
429 |   },
430 |   {
431 |    "cell_type": "code",
432 |    "execution_count": 14,
433 |    "metadata": {},
434 |    "outputs": [
435 |     {
436 |      "data": {
437 |       "text/plain": [
438 |        "{'hyperparameter': 0,\n",
439 |        " 'desc': 'msticpy ioc enrichment from process command line'}"
440 |       ]
441 |      },
442 |      "execution_count": 14,
443 |      "metadata": {},
444 |      "output_type": "execute_result"
445 |     }
446 |    ],
447 |    "source": [
448 |     "save(model,algo_name+\"_\"+model_name)"
449 |    ]
450 |   },
451 |   {
452 |    "attachments": {},
453 |    "cell_type": "markdown",
454 |    "metadata": {},
455 |    "source": [
456 |     "## Stage 6 - load the model"
457 |    ]
458 |   },
459 |   {
460 |    "cell_type": "code",
461 |    "execution_count": 15,
462 |    "metadata": {
463 |     "deletable": false,
464 |     "name": "mltkc_load"
465 |    },
466 |    "outputs": [],
467 |    "source": [
468 |     "# load model from name in expected convention \"<algo_name>_<model_name>\"\n",
469 |     "def load(name):\n",
470 |     "    model = {}\n",
471 |     "    with open(MODEL_DIRECTORY + name + \".json\", 'r') as file:\n",
472 |     "        model = json.load(file)\n",
473 |     "    return model"
474 |    ]
475 |   },
476 |   {
477 |    "cell_type": "code",
478 |    "execution_count": 16,
479 |    "metadata": {},
480 |    "outputs": [
481 |     {
482 |      "data": {
483 |       "text/plain": [
484 |        "{'hyperparameter': 0,\n",
485 |        " 'desc': 'msticpy ioc enrichment from process command line'}"
486 |       ]
487 |      },
488 |      "execution_count": 16,
489 |      "metadata": {},
490 |      "output_type": "execute_result"
491 |     }
492 |    ],
493 |    "source": [
494 |     "load(algo_name+\"_\"+model_name)"
495 |    ]
496 |   },
497 |   {
498 |    "attachments": {},
499 |    "cell_type": "markdown",
500 |    "metadata": {},
501 |    "source": [
502 |     "## Stage 7 - provide a summary of the model"
503 |    ]
504 |   },
505 |   {
506 |    "cell_type": "code",
507 |    "execution_count": 17,
508 |    "metadata": {
509 |     "deletable": false,
510 |     "name": "mltkc_summary"
511 |    },
512 |    "outputs": [],
513 |    "source": [
514 |     "# return a model summary\n",
515 |     "def summary(model=None):\n",
516 |     "    returns = {\"version\": {\"numpy\": np.__version__, \"pandas\": pd.__version__} ,\"desc\": \"msticpy ioc enrichment from process command line\"}\n",
517 |     "    return returns"
518 |    ]
519 |   },
520 |   {
521 |    "attachments": {},
522 |    "cell_type": "markdown",
523 |    "metadata": {},
524 |    "source": [
525 |     "After implementing your fit, apply, save and load you can train your model:<br>\n",
526 |     "\n",
527 |     "index=botsv2 \"powershell\" \"-enc\" source=\"WinEventLog*Microsoft-Windows-Sysmon*Operational*\" <br>\n",
528 |     "| where LIKE(ParentCommandLine,\"%powershell%-enc%\") | stats count by ParentCommandLine <br>\n",
529 |     "| fit MLTKContainer algo=msticpy_powershell_ioc ParentCommandLine into app:process_b64_iocs_enrich<br>"
530 |    ]
531 |   },
532 |   {
533 |    "attachments": {},
534 |    "cell_type": "markdown",
535 |    "metadata": {},
536 |    "source": [
537 |     "Or apply your model:<br>\n",
538 |     "\n",
539 |     "index=botsv2 \"powershell\" \"-enc\" source=\"WinEventLog*Microsoft-Windows-Sysmon*Operational*\"<br>\n",
540 |     "| where LIKE(ParentCommandLine,\"%powershell%-enc%\") | stats count by ParentCommandLine<br>\n",
541 |     "| apply process_b64_iocs_enrich<br>"
542 |    ]
543 |   },
544 |   {
545 |    "cell_type": "code",
546 |    "execution_count": null,
547 |    "metadata": {},
548 |    "outputs": [
549 |     {
550 |      "data": {
551 |       "text/plain": [
552 |        "{'version': {'numpy': '1.22.1', 'pandas': '1.5.3'},\n",
553 |        " 'desc': 'msticpy ioc enrichment from process command line'}"
554 |       ]
555 |      },
556 |      "execution_count": 18,
557 |      "metadata": {},
558 |      "output_type": "execute_result"
559 |     }
560 |    ],
561 |    "source": [
562 |     "summary()"
563 |    ]
564 |   },
565 |   {
566 |    "cell_type": "code",
567 |    "execution_count": null,
568 |    "metadata": {},
569 |    "outputs": [],
570 |    "source": []
571 |   },
572 |   {
573 |    "cell_type": "code",
574 |    "execution_count": null,
575 |    "metadata": {},
576 |    "outputs": [],
577 |    "source": []
578 |   },
579 |   {
580 |    "cell_type": "code",
581 |    "execution_count": null,
582 |    "metadata": {},
583 |    "outputs": [],
584 |    "source": []
585 |   },
586 |   {
587 |    "attachments": {},
588 |    "cell_type": "markdown",
589 |    "metadata": {},
590 |    "source": [
591 |     "## Send data back to Splunk HEC\n",
592 |     "When you configured the Splunk HEC Settings in the DSDL app you can easily send back data to an index with [Splunk's HTTP Event Collector (HEC)](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector). Read more about data formats and options in the [documentation](https://docs.splunk.com/Documentation/Splunk/latest/Data/FormateventsforHTTPEventCollector#Event_metadata).\n",
593 |     "\n",
594 |     "### Use cases\n",
595 |     "- you want to offload longer running, possibly distributed computations that need to deliver results asynchroneously back into Splunk. \n",
596 |     "- you might not want to present results back into the search pipeline after your `| fit` or `| apply` command. \n",
597 |     "- you can easily utilize this approach for any logging purposes or other profiling tasks in your ML code so you can actively monitor and analyze your processes.\n",
598 |     "\n",
599 |     "### Example"
600 |    ]
601 |   },
602 |   {
603 |    "cell_type": "code",
604 |    "execution_count": 19,
605 |    "metadata": {},
606 |    "outputs": [],
607 |    "source": [
608 |     "from dsdlsupport import SplunkHEC as SplunkHEC\n",
609 |     "hec = SplunkHEC.SplunkHEC()"
610 |    ]
611 |   },
612 |   {
613 |    "cell_type": "code",
614 |    "execution_count": null,
615 |    "metadata": {},
616 |    "outputs": [],
617 |    "source": [
618 |     "# example to send 10 hello world events\n",
619 |     "response = hec.send_hello_world(10)"
620 |    ]
621 |   },
622 |   {
623 |    "cell_type": "code",
624 |    "execution_count": null,
625 |    "metadata": {},
626 |    "outputs": [],
627 |    "source": [
628 |     "print(\"HEC endpoint %s \\nreturned with status code %s \\nand response message: %s\" % (response.url, response.status_code, response.text))"
629 |    ]
630 |   },
631 |   {
632 |    "cell_type": "code",
633 |    "execution_count": 21,
634 |    "metadata": {},
635 |    "outputs": [],
636 |    "source": [
637 |     "# example to send a JSON object, e.g. to log some data\n",
638 |     "from datetime import datetime\n",
639 |     "response = hec.send({'event': {'message': 'operation done', 'log_level': 'INFO' }, 'time': datetime.now().timestamp()})"
640 |    ]
641 |   },
642 |   {
643 |    "cell_type": "code",
644 |    "execution_count": null,
645 |    "metadata": {},
646 |    "outputs": [],
647 |    "source": [
648 |     "print(\"HEC endpoint %s \\nreturned with status code %s \\nand response message: %s\" % (response.url, response.status_code, response.text))"
649 |    ]
650 |   },
651 |   {
652 |    "attachments": {},
653 |    "cell_type": "markdown",
654 |    "metadata": {},
655 |    "source": [
656 |     "## End of Stages\n",
657 |     "All subsequent cells are not tagged and can be used for further freeform code"
658 |    ]
659 |   },
660 |   {
661 |    "cell_type": "code",
662 |    "execution_count": null,
663 |    "metadata": {},
664 |    "outputs": [],
665 |    "source": []
666 |   },
667 |   {
668 |    "cell_type": "code",
669 |    "execution_count": null,
670 |    "metadata": {},
671 |    "outputs": [],
672 |    "source": []
673 |   }
674 |  ],
675 |  "metadata": {
676 |   "kernelspec": {
677 |    "display_name": "Python 3 (ipykernel)",
678 |    "language": "python",
679 |    "name": "python3"
680 |   },
681 |   "language_info": {
682 |    "codemirror_mode": {
683 |     "name": "ipython",
684 |     "version": 3
685 |    },
686 |    "file_extension": ".py",
687 |    "mimetype": "text/x-python",
688 |    "name": "python",
689 |    "nbconvert_exporter": "python",
690 |    "pygments_lexer": "ipython3",
691 |    "version": "3.9.13"
692 |   }
693 |  },
694 |  "nbformat": 4,
695 |  "nbformat_minor": 4
696 | }
697 | 


--------------------------------------------------------------------------------
/timeseries_anomalies_stl/msticpy_timeseries_anomalies_stl.ipynb:
--------------------------------------------------------------------------------
  1 | {
  2 |  "cells": [
  3 |   {
  4 |    "attachments": {},
  5 |    "cell_type": "markdown",
  6 |    "metadata": {},
  7 |    "source": [
  8 |     "## Anomary Detection with timeseries_anomalies_stl \n",
  9 |     "\n",
 10 |     "data: splunk buttercup game added iplocation result"
 11 |    ]
 12 |   },
 13 |   {
 14 |    "cell_type": "code",
 15 |    "execution_count": 22,
 16 |    "metadata": {},
 17 |    "outputs": [
 18 |     {
 19 |      "name": "stdout",
 20 |      "output_type": "stream",
 21 |      "text": [
 22 |       "Requirement already satisfied: statsmodels in /Users/hacket/opt/anaconda3/envs/msticpy/lib/python3.9/site-packages (0.12.1)\n",
 23 |       "Collecting statsmodels\n",
 24 |       "  Downloading statsmodels-0.13.5-cp39-cp39-macosx_10_9_x86_64.whl (9.7 MB)\n",
 25 |       "\u001b[K     |████████████████████████████████| 9.7 MB 11.8 MB/s eta 0:00:01\n",
 26 |       "\u001b[?25hRequirement already satisfied: pandas>=0.25 in /Users/hacket/opt/anaconda3/envs/msticpy/lib/python3.9/site-packages (from statsmodels) (1.4.2)\n",
 27 |       "Requirement already satisfied: numpy>=1.17 in /Users/hacket/opt/anaconda3/envs/msticpy/lib/python3.9/site-packages (from statsmodels) (1.22.3)\n",
 28 |       "Requirement already satisfied: packaging>=21.3 in /Users/hacket/opt/anaconda3/envs/msticpy/lib/python3.9/site-packages (from statsmodels) (21.3)\n",
 29 |       "Requirement already satisfied: scipy>=1.3 in /Users/hacket/opt/anaconda3/envs/msticpy/lib/python3.9/site-packages (from statsmodels) (1.10.1)\n",
 30 |       "Requirement already satisfied: patsy>=0.5.2 in /Users/hacket/opt/anaconda3/envs/msticpy/lib/python3.9/site-packages (from statsmodels) (0.5.3)\n",
 31 |       "Requirement already satisfied: pyparsing!=3.0.5,>=2.0.2 in /Users/hacket/opt/anaconda3/envs/msticpy/lib/python3.9/site-packages (from packaging>=21.3->statsmodels) (3.0.4)\n",
 32 |       "Requirement already satisfied: python-dateutil>=2.8.1 in /Users/hacket/opt/anaconda3/envs/msticpy/lib/python3.9/site-packages (from pandas>=0.25->statsmodels) (2.8.2)\n",
 33 |       "Requirement already satisfied: pytz>=2020.1 in /Users/hacket/opt/anaconda3/envs/msticpy/lib/python3.9/site-packages (from pandas>=0.25->statsmodels) (2021.3)\n",
 34 |       "Requirement already satisfied: six in /Users/hacket/opt/anaconda3/envs/msticpy/lib/python3.9/site-packages (from patsy>=0.5.2->statsmodels) (1.16.0)\n",
 35 |       "Installing collected packages: statsmodels\n",
 36 |       "  Attempting uninstall: statsmodels\n",
 37 |       "    Found existing installation: statsmodels 0.12.1\n",
 38 |       "    Uninstalling statsmodels-0.12.1:\n",
 39 |       "      Successfully uninstalled statsmodels-0.12.1\n",
 40 |       "Successfully installed statsmodels-0.13.5\n"
 41 |      ]
 42 |     }
 43 |    ],
 44 |    "source": [
 45 |     "%pip install statsmodels --upgrade"
 46 |    ]
 47 |   },
 48 |   {
 49 |    "cell_type": "code",
 50 |    "execution_count": 51,
 51 |    "metadata": {},
 52 |    "outputs": [
 53 |     {
 54 |      "name": "stdout",
 55 |      "output_type": "stream",
 56 |      "text": [
 57 |       "Mon May  8 13:18:46 JST 2023\n",
 58 |       "Python 3.9.12\n",
 59 |       "sys.version\n",
 60 |       " 3.9.12 (main, Apr  5 2022, 01:53:17) \n",
 61 |       "[Clang 12.0.0 ]\n"
 62 |      ]
 63 |     }
 64 |    ],
 65 |    "source": [
 66 |     "\n",
 67 |     "!date\n",
 68 |     "!python -V # check if python version is later than 3.8\n",
 69 |     "\n",
 70 |     "import sys\n",
 71 |     "print(\"sys.version\\n\",sys.version)"
 72 |    ]
 73 |   },
 74 |   {
 75 |    "cell_type": "code",
 76 |    "execution_count": 52,
 77 |    "metadata": {},
 78 |    "outputs": [
 79 |     {
 80 |      "name": "stdout",
 81 |      "output_type": "stream",
 82 |      "text": [
 83 |       "2.4.0\n"
 84 |      ]
 85 |     }
 86 |    ],
 87 |    "source": [
 88 |     "import msticpy\n",
 89 |     "print(msticpy.__version__)"
 90 |    ]
 91 |   },
 92 |   {
 93 |    "cell_type": "code",
 94 |    "execution_count": null,
 95 |    "metadata": {},
 96 |    "outputs": [],
 97 |    "source": [
 98 |     "#mp.init_notebook()"
 99 |    ]
100 |   },
101 |   {
102 |    "cell_type": "code",
103 |    "execution_count": 139,
104 |    "metadata": {},
105 |    "outputs": [
106 |     {
107 |      "data": {
108 |       "text/html": [
109 |        "<div>\n",
110 |        "<style scoped>\n",
111 |        "    .dataframe tbody tr th:only-of-type {\n",
112 |        "        vertical-align: middle;\n",
113 |        "    }\n",
114 |        "\n",
115 |        "    .dataframe tbody tr th {\n",
116 |        "        vertical-align: top;\n",
117 |        "    }\n",
118 |        "\n",
119 |        "    .dataframe thead th {\n",
120 |        "        text-align: right;\n",
121 |        "    }\n",
122 |        "</style>\n",
123 |        "<table border=\"1\" class=\"dataframe\">\n",
124 |        "  <thead>\n",
125 |        "    <tr style=\"text-align: right;\">\n",
126 |        "      <th></th>\n",
127 |        "      <th>Country</th>\n",
128 |        "      <th>action</th>\n",
129 |        "      <th>bytes</th>\n",
130 |        "      <th>req_time</th>\n",
131 |        "      <th>status</th>\n",
132 |        "      <th>date_clock</th>\n",
133 |        "      <th>count</th>\n",
134 |        "    </tr>\n",
135 |        "  </thead>\n",
136 |        "  <tbody>\n",
137 |        "    <tr>\n",
138 |        "      <th>0</th>\n",
139 |        "      <td>Netherlands</td>\n",
140 |        "      <td>addtocart</td>\n",
141 |        "      <td>2744</td>\n",
142 |        "      <td>08/Sep/2022:07:19:24</td>\n",
143 |        "      <td>200</td>\n",
144 |        "      <td>2022-09-08 07</td>\n",
145 |        "      <td>1</td>\n",
146 |        "    </tr>\n",
147 |        "    <tr>\n",
148 |        "      <th>1</th>\n",
149 |        "      <td>Netherlands</td>\n",
150 |        "      <td>purchase</td>\n",
151 |        "      <td>1736</td>\n",
152 |        "      <td>08/Sep/2022:07:19:26</td>\n",
153 |        "      <td>200</td>\n",
154 |        "      <td>2022-09-08 07</td>\n",
155 |        "      <td>1</td>\n",
156 |        "    </tr>\n",
157 |        "    <tr>\n",
158 |        "      <th>2</th>\n",
159 |        "      <td>Netherlands</td>\n",
160 |        "      <td>purchase</td>\n",
161 |        "      <td>989</td>\n",
162 |        "      <td>08/Sep/2022:07:19:25</td>\n",
163 |        "      <td>200</td>\n",
164 |        "      <td>2022-09-08 07</td>\n",
165 |        "      <td>1</td>\n",
166 |        "    </tr>\n",
167 |        "    <tr>\n",
168 |        "      <th>3</th>\n",
169 |        "      <td>Netherlands</td>\n",
170 |        "      <td>addtocart</td>\n",
171 |        "      <td>1581</td>\n",
172 |        "      <td>08/Sep/2022:07:19:24</td>\n",
173 |        "      <td>200</td>\n",
174 |        "      <td>2022-09-08 07</td>\n",
175 |        "      <td>1</td>\n",
176 |        "    </tr>\n",
177 |        "    <tr>\n",
178 |        "      <th>4</th>\n",
179 |        "      <td>Netherlands</td>\n",
180 |        "      <td>NaN</td>\n",
181 |        "      <td>749</td>\n",
182 |        "      <td>08/Sep/2022:07:19:24</td>\n",
183 |        "      <td>200</td>\n",
184 |        "      <td>2022-09-08 07</td>\n",
185 |        "      <td>1</td>\n",
186 |        "    </tr>\n",
187 |        "  </tbody>\n",
188 |        "</table>\n",
189 |        "</div>"
190 |       ],
191 |       "text/plain": [
192 |        "       Country     action  bytes              req_time  status     date_clock  \\\n",
193 |        "0  Netherlands  addtocart   2744  08/Sep/2022:07:19:24     200  2022-09-08 07   \n",
194 |        "1  Netherlands   purchase   1736  08/Sep/2022:07:19:26     200  2022-09-08 07   \n",
195 |        "2  Netherlands   purchase    989  08/Sep/2022:07:19:25     200  2022-09-08 07   \n",
196 |        "3  Netherlands  addtocart   1581  08/Sep/2022:07:19:24     200  2022-09-08 07   \n",
197 |        "4  Netherlands        NaN    749  08/Sep/2022:07:19:24     200  2022-09-08 07   \n",
198 |        "\n",
199 |        "   count  \n",
200 |        "0      1  \n",
201 |        "1      1  \n",
202 |        "2      1  \n",
203 |        "3      1  \n",
204 |        "4      1  "
205 |       ]
206 |      },
207 |      "execution_count": 139,
208 |      "metadata": {},
209 |      "output_type": "execute_result"
210 |     }
211 |    ],
212 |    "source": [
213 |     "import pandas as pd\n",
214 |     "\n",
215 |     "df = pd.read_csv(\n",
216 |     "    \"../data/buttercupgame_iplocation.csv\", infer_datetime_format=True,\n",
217 |     "    usecols=[\"req_time\",\"bytes\",\"Country\",\"status\",\"action\"]\n",
218 |     "    )\n",
219 |     "df[\"date_clock\"] = pd.to_datetime(df[\"req_time\"],  format=\"%d/%b/%Y:%H:%M:%S\", errors='coerce').dt.strftime(\"%Y-%m-%d %H\")\n",
220 |     "df['count'] = 1\n",
221 |     "df.head()"
222 |    ]
223 |   },
224 |   {
225 |    "cell_type": "code",
226 |    "execution_count": 141,
227 |    "metadata": {},
228 |    "outputs": [
229 |     {
230 |      "data": {
231 |       "text/html": [
232 |        "<div>\n",
233 |        "<style scoped>\n",
234 |        "    .dataframe tbody tr th:only-of-type {\n",
235 |        "        vertical-align: middle;\n",
236 |        "    }\n",
237 |        "\n",
238 |        "    .dataframe tbody tr th {\n",
239 |        "        vertical-align: top;\n",
240 |        "    }\n",
241 |        "\n",
242 |        "    .dataframe thead th {\n",
243 |        "        text-align: right;\n",
244 |        "    }\n",
245 |        "</style>\n",
246 |        "<table border=\"1\" class=\"dataframe\">\n",
247 |        "  <thead>\n",
248 |        "    <tr style=\"text-align: right;\">\n",
249 |        "      <th></th>\n",
250 |        "      <th>date_clock</th>\n",
251 |        "      <th>action</th>\n",
252 |        "      <th>count</th>\n",
253 |        "    </tr>\n",
254 |        "  </thead>\n",
255 |        "  <tbody>\n",
256 |        "    <tr>\n",
257 |        "      <th>0</th>\n",
258 |        "      <td>2022-09-01 18</td>\n",
259 |        "      <td>addtocart</td>\n",
260 |        "      <td>17</td>\n",
261 |        "    </tr>\n",
262 |        "    <tr>\n",
263 |        "      <th>1</th>\n",
264 |        "      <td>2022-09-01 18</td>\n",
265 |        "      <td>changequantity</td>\n",
266 |        "      <td>7</td>\n",
267 |        "    </tr>\n",
268 |        "    <tr>\n",
269 |        "      <th>2</th>\n",
270 |        "      <td>2022-09-01 18</td>\n",
271 |        "      <td>purchase</td>\n",
272 |        "      <td>17</td>\n",
273 |        "    </tr>\n",
274 |        "    <tr>\n",
275 |        "      <th>3</th>\n",
276 |        "      <td>2022-09-01 18</td>\n",
277 |        "      <td>remove</td>\n",
278 |        "      <td>9</td>\n",
279 |        "    </tr>\n",
280 |        "    <tr>\n",
281 |        "      <th>4</th>\n",
282 |        "      <td>2022-09-01 18</td>\n",
283 |        "      <td>view</td>\n",
284 |        "      <td>20</td>\n",
285 |        "    </tr>\n",
286 |        "  </tbody>\n",
287 |        "</table>\n",
288 |        "</div>"
289 |       ],
290 |       "text/plain": [
291 |        "      date_clock          action  count\n",
292 |        "0  2022-09-01 18       addtocart     17\n",
293 |        "1  2022-09-01 18  changequantity      7\n",
294 |        "2  2022-09-01 18        purchase     17\n",
295 |        "3  2022-09-01 18          remove      9\n",
296 |        "4  2022-09-01 18            view     20"
297 |       ]
298 |      },
299 |      "execution_count": 141,
300 |      "metadata": {},
301 |      "output_type": "execute_result"
302 |     }
303 |    ],
304 |    "source": [
305 |     "\n",
306 |     "\n",
307 |     "df_action = df.groupby(['date_clock','action'])['count'].sum().reset_index()\n",
308 |     "df_action.head()\n"
309 |    ]
310 |   },
311 |   {
312 |    "cell_type": "code",
313 |    "execution_count": 142,
314 |    "metadata": {},
315 |    "outputs": [
316 |     {
317 |      "data": {
318 |       "text/html": [
319 |        "<div>\n",
320 |        "<style scoped>\n",
321 |        "    .dataframe tbody tr th:only-of-type {\n",
322 |        "        vertical-align: middle;\n",
323 |        "    }\n",
324 |        "\n",
325 |        "    .dataframe tbody tr th {\n",
326 |        "        vertical-align: top;\n",
327 |        "    }\n",
328 |        "\n",
329 |        "    .dataframe thead th {\n",
330 |        "        text-align: right;\n",
331 |        "    }\n",
332 |        "</style>\n",
333 |        "<table border=\"1\" class=\"dataframe\">\n",
334 |        "  <thead>\n",
335 |        "    <tr style=\"text-align: right;\">\n",
336 |        "      <th></th>\n",
337 |        "      <th>date_clock</th>\n",
338 |        "      <th>action</th>\n",
339 |        "      <th>count</th>\n",
340 |        "    </tr>\n",
341 |        "  </thead>\n",
342 |        "  <tbody>\n",
343 |        "    <tr>\n",
344 |        "      <th>0</th>\n",
345 |        "      <td>2022-09-01 18</td>\n",
346 |        "      <td>addtocart</td>\n",
347 |        "      <td>17</td>\n",
348 |        "    </tr>\n",
349 |        "    <tr>\n",
350 |        "      <th>5</th>\n",
351 |        "      <td>2022-09-01 19</td>\n",
352 |        "      <td>addtocart</td>\n",
353 |        "      <td>40</td>\n",
354 |        "    </tr>\n",
355 |        "    <tr>\n",
356 |        "      <th>10</th>\n",
357 |        "      <td>2022-09-01 20</td>\n",
358 |        "      <td>addtocart</td>\n",
359 |        "      <td>26</td>\n",
360 |        "    </tr>\n",
361 |        "    <tr>\n",
362 |        "      <th>15</th>\n",
363 |        "      <td>2022-09-01 21</td>\n",
364 |        "      <td>addtocart</td>\n",
365 |        "      <td>46</td>\n",
366 |        "    </tr>\n",
367 |        "    <tr>\n",
368 |        "      <th>20</th>\n",
369 |        "      <td>2022-09-01 22</td>\n",
370 |        "      <td>addtocart</td>\n",
371 |        "      <td>24</td>\n",
372 |        "    </tr>\n",
373 |        "  </tbody>\n",
374 |        "</table>\n",
375 |        "</div>"
376 |       ],
377 |       "text/plain": [
378 |        "       date_clock     action  count\n",
379 |        "0   2022-09-01 18  addtocart     17\n",
380 |        "5   2022-09-01 19  addtocart     40\n",
381 |        "10  2022-09-01 20  addtocart     26\n",
382 |        "15  2022-09-01 21  addtocart     46\n",
383 |        "20  2022-09-01 22  addtocart     24"
384 |       ]
385 |      },
386 |      "execution_count": 142,
387 |      "metadata": {},
388 |      "output_type": "execute_result"
389 |     }
390 |    ],
391 |    "source": [
392 |     "df_action = df_action[df_action.action==\"addtocart\"]\n",
393 |     "df_action.head()"
394 |    ]
395 |   },
396 |   {
397 |    "cell_type": "code",
398 |    "execution_count": 143,
399 |    "metadata": {},
400 |    "outputs": [
401 |     {
402 |      "data": {
403 |       "text/html": [
404 |        "<div>\n",
405 |        "<style scoped>\n",
406 |        "    .dataframe tbody tr th:only-of-type {\n",
407 |        "        vertical-align: middle;\n",
408 |        "    }\n",
409 |        "\n",
410 |        "    .dataframe tbody tr th {\n",
411 |        "        vertical-align: top;\n",
412 |        "    }\n",
413 |        "\n",
414 |        "    .dataframe thead th {\n",
415 |        "        text-align: right;\n",
416 |        "    }\n",
417 |        "</style>\n",
418 |        "<table border=\"1\" class=\"dataframe\">\n",
419 |        "  <thead>\n",
420 |        "    <tr style=\"text-align: right;\">\n",
421 |        "      <th></th>\n",
422 |        "      <th>date_clock</th>\n",
423 |        "      <th>count</th>\n",
424 |        "      <th>residual</th>\n",
425 |        "      <th>trend</th>\n",
426 |        "      <th>seasonal</th>\n",
427 |        "      <th>weights</th>\n",
428 |        "      <th>baseline</th>\n",
429 |        "      <th>score</th>\n",
430 |        "      <th>anomalies</th>\n",
431 |        "    </tr>\n",
432 |        "  </thead>\n",
433 |        "  <tbody>\n",
434 |        "    <tr>\n",
435 |        "      <th>0</th>\n",
436 |        "      <td>2022-09-01 18</td>\n",
437 |        "      <td>17</td>\n",
438 |        "      <td>-2</td>\n",
439 |        "      <td>34</td>\n",
440 |        "      <td>-14</td>\n",
441 |        "      <td>1</td>\n",
442 |        "      <td>19</td>\n",
443 |        "      <td>-0.424389</td>\n",
444 |        "      <td>0</td>\n",
445 |        "    </tr>\n",
446 |        "    <tr>\n",
447 |        "      <th>1</th>\n",
448 |        "      <td>2022-09-01 19</td>\n",
449 |        "      <td>40</td>\n",
450 |        "      <td>1</td>\n",
451 |        "      <td>34</td>\n",
452 |        "      <td>4</td>\n",
453 |        "      <td>1</td>\n",
454 |        "      <td>38</td>\n",
455 |        "      <td>0.201091</td>\n",
456 |        "      <td>0</td>\n",
457 |        "    </tr>\n",
458 |        "    <tr>\n",
459 |        "      <th>2</th>\n",
460 |        "      <td>2022-09-01 20</td>\n",
461 |        "      <td>26</td>\n",
462 |        "      <td>-3</td>\n",
463 |        "      <td>34</td>\n",
464 |        "      <td>-4</td>\n",
465 |        "      <td>1</td>\n",
466 |        "      <td>29</td>\n",
467 |        "      <td>-0.632882</td>\n",
468 |        "      <td>0</td>\n",
469 |        "    </tr>\n",
470 |        "    <tr>\n",
471 |        "      <th>3</th>\n",
472 |        "      <td>2022-09-01 21</td>\n",
473 |        "      <td>46</td>\n",
474 |        "      <td>3</td>\n",
475 |        "      <td>34</td>\n",
476 |        "      <td>8</td>\n",
477 |        "      <td>1</td>\n",
478 |        "      <td>42</td>\n",
479 |        "      <td>0.618078</td>\n",
480 |        "      <td>0</td>\n",
481 |        "    </tr>\n",
482 |        "    <tr>\n",
483 |        "      <th>4</th>\n",
484 |        "      <td>2022-09-01 22</td>\n",
485 |        "      <td>24</td>\n",
486 |        "      <td>-2</td>\n",
487 |        "      <td>34</td>\n",
488 |        "      <td>-7</td>\n",
489 |        "      <td>1</td>\n",
490 |        "      <td>26</td>\n",
491 |        "      <td>-0.424389</td>\n",
492 |        "      <td>0</td>\n",
493 |        "    </tr>\n",
494 |        "  </tbody>\n",
495 |        "</table>\n",
496 |        "</div>"
497 |       ],
498 |       "text/plain": [
499 |        "      date_clock  count  residual  trend  seasonal  weights  baseline  \\\n",
500 |        "0  2022-09-01 18     17        -2     34       -14        1        19   \n",
501 |        "1  2022-09-01 19     40         1     34         4        1        38   \n",
502 |        "2  2022-09-01 20     26        -3     34        -4        1        29   \n",
503 |        "3  2022-09-01 21     46         3     34         8        1        42   \n",
504 |        "4  2022-09-01 22     24        -2     34        -7        1        26   \n",
505 |        "\n",
506 |        "      score  anomalies  \n",
507 |        "0 -0.424389          0  \n",
508 |        "1  0.201091          0  \n",
509 |        "2 -0.632882          0  \n",
510 |        "3  0.618078          0  \n",
511 |        "4 -0.424389          0  "
512 |       ]
513 |      },
514 |      "execution_count": 143,
515 |      "metadata": {},
516 |      "output_type": "execute_result"
517 |     }
518 |    ],
519 |    "source": [
520 |     "from msticpy.analysis.timeseries import timeseries_anomalies_stl\n",
521 |     "df_count = df_action[['date_clock','count']]\n",
522 |     "df_count = df_count.set_index('date_clock')\n",
523 |     "output = timeseries_anomalies_stl(df_count)\n",
524 |     "output.head()"
525 |    ]
526 |   },
527 |   {
528 |    "cell_type": "code",
529 |    "execution_count": 144,
530 |    "metadata": {},
531 |    "outputs": [
532 |     {
533 |      "data": {
534 |       "text/html": [
535 |        "<div>\n",
536 |        "<style scoped>\n",
537 |        "    .dataframe tbody tr th:only-of-type {\n",
538 |        "        vertical-align: middle;\n",
539 |        "    }\n",
540 |        "\n",
541 |        "    .dataframe tbody tr th {\n",
542 |        "        vertical-align: top;\n",
543 |        "    }\n",
544 |        "\n",
545 |        "    .dataframe thead th {\n",
546 |        "        text-align: right;\n",
547 |        "    }\n",
548 |        "</style>\n",
549 |        "<table border=\"1\" class=\"dataframe\">\n",
550 |        "  <thead>\n",
551 |        "    <tr style=\"text-align: right;\">\n",
552 |        "      <th></th>\n",
553 |        "      <th>date_clock</th>\n",
554 |        "      <th>count</th>\n",
555 |        "      <th>residual</th>\n",
556 |        "      <th>trend</th>\n",
557 |        "      <th>seasonal</th>\n",
558 |        "      <th>weights</th>\n",
559 |        "      <th>baseline</th>\n",
560 |        "      <th>score</th>\n",
561 |        "      <th>anomalies</th>\n",
562 |        "    </tr>\n",
563 |        "  </thead>\n",
564 |        "  <tbody>\n",
565 |        "    <tr>\n",
566 |        "      <th>94</th>\n",
567 |        "      <td>2022-09-05 16</td>\n",
568 |        "      <td>52</td>\n",
569 |        "      <td>15</td>\n",
570 |        "      <td>33</td>\n",
571 |        "      <td>3</td>\n",
572 |        "      <td>1</td>\n",
573 |        "      <td>36</td>\n",
574 |        "      <td>3.119998</td>\n",
575 |        "      <td>1</td>\n",
576 |        "    </tr>\n",
577 |        "  </tbody>\n",
578 |        "</table>\n",
579 |        "</div>"
580 |       ],
581 |       "text/plain": [
582 |        "       date_clock  count  residual  trend  seasonal  weights  baseline  \\\n",
583 |        "94  2022-09-05 16     52        15     33         3        1        36   \n",
584 |        "\n",
585 |        "       score  anomalies  \n",
586 |        "94  3.119998          1  "
587 |       ]
588 |      },
589 |      "execution_count": 144,
590 |      "metadata": {},
591 |      "output_type": "execute_result"
592 |     }
593 |    ],
594 |    "source": [
595 |     "output[output.anomalies == 1]"
596 |    ]
597 |   },
598 |   {
599 |    "cell_type": "code",
600 |    "execution_count": 146,
601 |    "metadata": {},
602 |    "outputs": [
603 |     {
604 |      "name": "stderr",
605 |      "output_type": "stream",
606 |      "text": [
607 |       "/var/folders/9j/5q4qwns11lv47mtj3ykbp5_40000gn/T/ipykernel_3437/3785166171.py:7: DeprecationWarning: Call to deprecated function (or staticmethod) display_timeseries_anomolies. (Will be removed in version 2.0.0. Please use display_timeseries_anomalies) -- Deprecated since version 1.7.0.\n",
608 |       "  timeseries_anomalies_plot = display_timeseries_anomolies(\n"
609 |      ]
610 |     },
611 |     {
612 |      "data": {
613 |       "text/html": [
614 |        "\n",
615 |        "    <div class=\"bk-root\">\n",
616 |        "        <a href=\"https://bokeh.org\" target=\"_blank\" class=\"bk-logo bk-logo-small bk-logo-notebook\"></a>\n",
617 |        "        <span id=\"8346\">Loading BokehJS ...</span>\n",
618 |        "    </div>"
619 |       ]
620 |      },
621 |      "metadata": {},
622 |      "output_type": "display_data"
623 |     },
624 |     {
625 |      "data": {
626 |       "application/javascript": "\n(function(root) {\n  function now() {\n    return new Date();\n  }\n\n  const force = true;\n\n  if (typeof root._bokeh_onload_callbacks === \"undefined\" || force === true) {\n    root._bokeh_onload_callbacks = [];\n    root._bokeh_is_loading = undefined;\n  }\n\n  const JS_MIME_TYPE = 'application/javascript';\n  const HTML_MIME_TYPE = 'text/html';\n  const EXEC_MIME_TYPE = 'application/vnd.bokehjs_exec.v0+json';\n  const CLASS_NAME = 'output_bokeh rendered_html';\n\n  /**\n   * Render data to the DOM node\n   */\n  function render(props, node) {\n    const script = document.createElement(\"script\");\n    node.appendChild(script);\n  }\n\n  /**\n   * Handle when an output is cleared or removed\n   */\n  function handleClearOutput(event, handle) {\n    const cell = handle.cell;\n\n    const id = cell.output_area._bokeh_element_id;\n    const server_id = cell.output_area._bokeh_server_id;\n    // Clean up Bokeh references\n    if (id != null && id in Bokeh.index) {\n      Bokeh.index[id].model.document.clear();\n      delete Bokeh.index[id];\n    }\n\n    if (server_id !== undefined) {\n      // Clean up Bokeh references\n      const cmd_clean = \"from bokeh.io.state import curstate; print(curstate().uuid_to_server['\" + server_id + \"'].get_sessions()[0].document.roots[0]._id)\";\n      cell.notebook.kernel.execute(cmd_clean, {\n        iopub: {\n          output: function(msg) {\n            const id = msg.content.text.trim();\n            if (id in Bokeh.index) {\n              Bokeh.index[id].model.document.clear();\n              delete Bokeh.index[id];\n            }\n          }\n        }\n      });\n      // Destroy server and session\n      const cmd_destroy = \"import bokeh.io.notebook as ion; ion.destroy_server('\" + server_id + \"')\";\n      cell.notebook.kernel.execute(cmd_destroy);\n    }\n  }\n\n  /**\n   * Handle when a new output is added\n   */\n  function handleAddOutput(event, handle) {\n    const output_area = handle.output_area;\n    const output = handle.output;\n\n    // limit handleAddOutput to display_data with EXEC_MIME_TYPE content only\n    if ((output.output_type != \"display_data\") || (!Object.prototype.hasOwnProperty.call(output.data, EXEC_MIME_TYPE))) {\n      return\n    }\n\n    const toinsert = output_area.element.find(\".\" + CLASS_NAME.split(' ')[0]);\n\n    if (output.metadata[EXEC_MIME_TYPE][\"id\"] !== undefined) {\n      toinsert[toinsert.length - 1].firstChild.textContent = output.data[JS_MIME_TYPE];\n      // store reference to embed id on output_area\n      output_area._bokeh_element_id = output.metadata[EXEC_MIME_TYPE][\"id\"];\n    }\n    if (output.metadata[EXEC_MIME_TYPE][\"server_id\"] !== undefined) {\n      const bk_div = document.createElement(\"div\");\n      bk_div.innerHTML = output.data[HTML_MIME_TYPE];\n      const script_attrs = bk_div.children[0].attributes;\n      for (let i = 0; i < script_attrs.length; i++) {\n        toinsert[toinsert.length - 1].firstChild.setAttribute(script_attrs[i].name, script_attrs[i].value);\n        toinsert[toinsert.length - 1].firstChild.textContent = bk_div.children[0].textContent\n      }\n      // store reference to server id on output_area\n      output_area._bokeh_server_id = output.metadata[EXEC_MIME_TYPE][\"server_id\"];\n    }\n  }\n\n  function register_renderer(events, OutputArea) {\n\n    function append_mime(data, metadata, element) {\n      // create a DOM node to render to\n      const toinsert = this.create_output_subarea(\n        metadata,\n        CLASS_NAME,\n        EXEC_MIME_TYPE\n      );\n      this.keyboard_manager.register_events(toinsert);\n      // Render to node\n      const props = {data: data, metadata: metadata[EXEC_MIME_TYPE]};\n      render(props, toinsert[toinsert.length - 1]);\n      element.append(toinsert);\n      return toinsert\n    }\n\n    /* Handle when an output is cleared or removed */\n    events.on('clear_output.CodeCell', handleClearOutput);\n    events.on('delete.Cell', handleClearOutput);\n\n    /* Handle when a new output is added */\n    events.on('output_added.OutputArea', handleAddOutput);\n\n    /**\n     * Register the mime type and append_mime function with output_area\n     */\n    OutputArea.prototype.register_mime_type(EXEC_MIME_TYPE, append_mime, {\n      /* Is output safe? */\n      safe: true,\n      /* Index of renderer in `output_area.display_order` */\n      index: 0\n    });\n  }\n\n  // register the mime type if in Jupyter Notebook environment and previously unregistered\n  if (root.Jupyter !== undefined) {\n    const events = require('base/js/events');\n    const OutputArea = require('notebook/js/outputarea').OutputArea;\n\n    if (OutputArea.prototype.mime_types().indexOf(EXEC_MIME_TYPE) == -1) {\n      register_renderer(events, OutputArea);\n    }\n  }\n\n  \n  if (typeof (root._bokeh_timeout) === \"undefined\" || force === true) {\n    root._bokeh_timeout = Date.now() + 5000;\n    root._bokeh_failed_load = false;\n  }\n\n  const NB_LOAD_WARNING = {'data': {'text/html':\n     \"<div style='background-color: #fdd'>\\n\"+\n     \"<p>\\n\"+\n     \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n     \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n     \"</p>\\n\"+\n     \"<ul>\\n\"+\n     \"<li>re-rerun `output_notebook()` to attempt to load from CDN again, or</li>\\n\"+\n     \"<li>use INLINE resources instead, as so:</li>\\n\"+\n     \"</ul>\\n\"+\n     \"<code>\\n\"+\n     \"from bokeh.resources import INLINE\\n\"+\n     \"output_notebook(resources=INLINE)\\n\"+\n     \"</code>\\n\"+\n     \"</div>\"}};\n\n  function display_loaded() {\n    const el = document.getElementById(\"8346\");\n    if (el != null) {\n      el.textContent = \"BokehJS is loading...\";\n    }\n    if (root.Bokeh !== undefined) {\n      if (el != null) {\n        el.textContent = \"BokehJS \" + root.Bokeh.version + \" successfully loaded.\";\n      }\n    } else if (Date.now() < root._bokeh_timeout) {\n      setTimeout(display_loaded, 100)\n    }\n  }\n\n\n  function run_callbacks() {\n    try {\n      root._bokeh_onload_callbacks.forEach(function(callback) {\n        if (callback != null)\n          callback();\n      });\n    } finally {\n      delete root._bokeh_onload_callbacks\n    }\n    console.debug(\"Bokeh: all callbacks have finished\");\n  }\n\n  function load_libs(css_urls, js_urls, callback) {\n    if (css_urls == null) css_urls = [];\n    if (js_urls == null) js_urls = [];\n\n    root._bokeh_onload_callbacks.push(callback);\n    if (root._bokeh_is_loading > 0) {\n      console.debug(\"Bokeh: BokehJS is being loaded, scheduling callback at\", now());\n      return null;\n    }\n    if (js_urls == null || js_urls.length === 0) {\n      run_callbacks();\n      return null;\n    }\n    console.debug(\"Bokeh: BokehJS not loaded, scheduling load and callback at\", now());\n    root._bokeh_is_loading = css_urls.length + js_urls.length;\n\n    function on_load() {\n      root._bokeh_is_loading--;\n      if (root._bokeh_is_loading === 0) {\n        console.debug(\"Bokeh: all BokehJS libraries/stylesheets loaded\");\n        run_callbacks()\n      }\n    }\n\n    function on_error(url) {\n      console.error(\"failed to load \" + url);\n    }\n\n    for (let i = 0; i < css_urls.length; i++) {\n      const url = css_urls[i];\n      const element = document.createElement(\"link\");\n      element.onload = on_load;\n      element.onerror = on_error.bind(null, url);\n      element.rel = \"stylesheet\";\n      element.type = \"text/css\";\n      element.href = url;\n      console.debug(\"Bokeh: injecting link tag for BokehJS stylesheet: \", url);\n      document.body.appendChild(element);\n    }\n\n    for (let i = 0; i < js_urls.length; i++) {\n      const url = js_urls[i];\n      const element = document.createElement('script');\n      element.onload = on_load;\n      element.onerror = on_error.bind(null, url);\n      element.async = false;\n      element.src = url;\n      console.debug(\"Bokeh: injecting script tag for BokehJS library: \", url);\n      document.head.appendChild(element);\n    }\n  };\n\n  function inject_raw_css(css) {\n    const element = document.createElement(\"style\");\n    element.appendChild(document.createTextNode(css));\n    document.body.appendChild(element);\n  }\n\n  \n  const js_urls = [\"https://cdn.bokeh.org/bokeh/release/bokeh-2.4.2.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-gl-2.4.2.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-widgets-2.4.2.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-tables-2.4.2.min.js\", \"https://cdn.bokeh.org/bokeh/release/bokeh-mathjax-2.4.2.min.js\"];\n  const css_urls = [];\n  \n\n  const inline_js = [\n    function(Bokeh) {\n      Bokeh.set_log_level(\"info\");\n    },\n    function(Bokeh) {\n    \n    \n    }\n  ];\n\n  function run_inline_js() {\n    \n    if (root.Bokeh !== undefined || force === true) {\n      \n    for (let i = 0; i < inline_js.length; i++) {\n      inline_js[i].call(root, root.Bokeh);\n    }\n    if (force === true) {\n        display_loaded();\n      }} else if (Date.now() < root._bokeh_timeout) {\n      setTimeout(run_inline_js, 100);\n    } else if (!root._bokeh_failed_load) {\n      console.log(\"Bokeh: BokehJS failed to load within specified timeout.\");\n      root._bokeh_failed_load = true;\n    } else if (force !== true) {\n      const cell = $(document.getElementById(\"8346\")).parents('.cell').data().cell;\n      cell.output_area.append_execute_result(NB_LOAD_WARNING)\n    }\n\n  }\n\n  if (root._bokeh_is_loading === 0) {\n    console.debug(\"Bokeh: BokehJS loaded, going straight to plotting\");\n    run_inline_js();\n  } else {\n    load_libs(css_urls, js_urls, function() {\n      console.debug(\"Bokeh: BokehJS plotting callback run at\", now());\n      run_inline_js();\n    });\n  }\n}(window));",
627 |       "application/vnd.bokehjs_load.v0+json": ""
628 |      },
629 |      "metadata": {},
630 |      "output_type": "display_data"
631 |     },
632 |     {
633 |      "data": {
634 |       "text/html": [
635 |        "\n",
636 |        "\n",
637 |        "\n",
638 |        "\n",
639 |        "\n",
640 |        "\n",
641 |        "  <div class=\"bk-root\" id=\"33e232ab-a5ae-4857-bd62-01520a0427ac\" data-root-id=\"8563\"></div>\n"
642 |       ]
643 |      },
644 |      "metadata": {},
645 |      "output_type": "display_data"
646 |     },
647 |     {
648 |      "data": {
649 |       "application/javascript": "(function(root) {\n  function embed_document(root) {\n    \n  const docs_json = {\"70465022-a210-4640-b276-2bf87def5374\":{\"defs\":[],\"roots\":{\"references\":[{\"attributes\":{\"children\":[{\"id\":\"8380\"},{\"id\":\"8532\"}]},\"id\":\"8563\",\"type\":\"Column\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.1},\"fill_color\":{\"value\":\"#1f77b4\"},\"hatch_alpha\":{\"value\":0.1},\"line_alpha\":{\"value\":0.1},\"line_color\":{\"value\":\"navy\"},\"x\":{\"field\":\"date_clock\"},\"y\":{\"field\":\"count\"}},\"id\":\"8418\",\"type\":\"Circle\"},{\"attributes\":{\"months\":[0,6]},\"id\":\"8440\",\"type\":\"MonthsTicker\"},{\"attributes\":{\"coordinates\":null,\"data_source\":{\"id\":\"8347\"},\"glyph\":{\"id\":\"8417\"},\"group\":null,\"hover_glyph\":null,\"muted_glyph\":{\"id\":\"8419\"},\"nonselection_glyph\":{\"id\":\"8418\"},\"view\":{\"id\":\"8421\"}},\"id\":\"8420\",\"type\":\"GlyphRenderer\"},{\"attributes\":{},\"id\":\"8441\",\"type\":\"YearsTicker\"},{\"attributes\":{\"mantissas\":[1,2,5],\"max_interval\":500.0,\"num_minor_ticks\":0},\"id\":\"8430\",\"type\":\"AdaptiveTicker\"},{\"attributes\":{\"click_policy\":\"hide\",\"coordinates\":null,\"group\":null,\"items\":[{\"id\":\"8443\"},{\"id\":\"8470\"},{\"id\":\"8500\"}],\"location\":\"top_left\"},\"id\":\"8442\",\"type\":\"Legend\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.2},\"fill_color\":{\"value\":\"#1f77b4\"},\"hatch_alpha\":{\"value\":0.2},\"line_alpha\":{\"value\":0.2},\"line_color\":{\"value\":\"navy\"},\"x\":{\"field\":\"date_clock\"},\"y\":{\"field\":\"count\"}},\"id\":\"8419\",\"type\":\"Circle\"},{\"attributes\":{\"source\":{\"id\":\"8347\"}},\"id\":\"8421\",\"type\":\"CDSView\"},{\"attributes\":{\"label\":{\"value\":\"observed\"},\"renderers\":[{\"id\":\"8420\"}]},\"id\":\"8443\",\"type\":\"LegendItem\"},{\"attributes\":{\"end\":1662750720000.0,\"start\":1661964480000.0},\"id\":\"8535\",\"type\":\"Range1d\"},{\"attributes\":{\"below\":[{\"id\":\"8543\"},{\"id\":\"8548\"}],\"center\":[{\"id\":\"8546\"}],\"height\":120,\"renderers\":[{\"id\":\"8556\"}],\"title\":{\"id\":\"8533\"},\"toolbar\":{\"id\":\"8547\"},\"toolbar_location\":null,\"width\":1200,\"x_range\":{\"id\":\"8535\"},\"x_scale\":{\"id\":\"8539\"},\"y_range\":{\"id\":\"8537\"},\"y_scale\":{\"id\":\"8541\"}},\"id\":\"8532\",\"subtype\":\"Figure\",\"type\":\"Plot\"},{\"attributes\":{\"callback\":null,\"formatters\":{\"@date_clock\":\"datetime\"},\"tooltips\":[[\"date_clock\",\"@date_clock{%F %T.%3N}\"],[\"count\",\"@count\"],[\"residual\",\"@residual\"],[\"trend\",\"@trend\"],[\"seasonal\",\"@seasonal\"],[\"weights\",\"@weights\"],[\"baseline\",\"@baseline\"],[\"score\",\"@score\"]]},\"id\":\"8348\",\"type\":\"HoverTool\"},{\"attributes\":{\"coordinates\":null,\"fill_alpha\":0.2,\"fill_color\":\"navy\",\"group\":null,\"level\":\"overlay\",\"line_alpha\":1.0,\"line_color\":\"black\",\"line_dash\":[2,2],\"line_width\":0.5,\"syncable\":false},\"id\":\"8559\",\"type\":\"BoxAnnotation\"},{\"attributes\":{\"data\":{\"anomalies\":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],\"baseline\":[19,38,29,42,26,29,39,40,32,54,35,23,30,27,36,27,34,25,33,33,34,43,35,40,26,38,31,39,30,33,37,43,36,54,35,28,30,28,34,26,33,28,33,34,33,46,38,41,33,39,34,36,33,36,35,45,38,52,33,30,28,26,29,23,29,28,29,30,28,43,36,39,36,36,33,31,34,35,31,46,39,49,29,31,25,24,24,21,26,28,27,28,26,44,36,39,38,36,32,32,34,32,34,50,40,50,29,33,29,26,24,22,29,29,26,29,27,44,34,38,34,36,31,31,33,28,35,54,38,50,28,31,30,25,22,22,32,29,24,28,29,43,33,39,31,38,32,33,34,25,40,60,39,52,29,33,35,27,23,24,38,30,23,29,32,43,30,40,27],\"count\":[17,40,26,46,24,26,46,48,28,55,35,24,29,29,36,30,29,25,31,31,38,47,37,40,25,34,35,32,35,38,33,26,44,52,40,26,38,27,34,26,39,29,38,39,33,38,39,42,39,43,35,42,34,33,31,54,38,59,24,27,21,24,34,18,35,29,29,29,23,52,26,41,44,37,38,28,28,44,27,54,32,41,36,44,20,30,16,23,22,28,23,27,26,39,52,35,34,37,32,28,42,38,34,44,49,54,31,29,33,23,28,22,19,34,32,26,31,48,33,44,38,29,24,32,40,22,46,42,44,49,21,31,32,25,18,24,29,23,24,37,24,47,33,38,36,44,38,36,28,27,34,71,33,54,33,34,34,28,26,24,46,33,22,25,35,40,29,40,23],\"date_clock\":{\"__ndarray__\":\"AABQW6MveEIAADjKpi94QgAAIDmqL3hCAAAIqK0veEIAAPAWsS94QgAA2IW0L3hCAADA9LcveEIAAKhjuy94QgAAkNK+L3hCAAB4QcIveEIAAGCwxS94QgAASB/JL3hCAAAwjswveEIAABj9zy94QgAAAGzTL3hCAADo2tYveEIAANBJ2i94QgAAuLjdL3hCAACgJ+EveEIAAIiW5C94QgAAcAXoL3hCAABYdOsveEIAAEDj7i94QgAAKFLyL3hCAAAQwfUveEIAAPgv+S94QgAA4J78L3hCAADIDQAweEIAALB8AzB4QgAAmOsGMHhCAACAWgoweEIAAGjJDTB4QgAAUDgRMHhCAAA4pxQweEIAACAWGDB4QgAACIUbMHhCAADw8x4weEIAANhiIjB4QgAAwNElMHhCAACoQCkweEIAAJCvLDB4QgAAeB4wMHhCAABgjTMweEIAAEj8NjB4QgAAMGs6MHhCAAAY2j0weEIAAABJQTB4QgAA6LdEMHhCAADQJkgweEIAALiVSzB4QgAAoARPMHhCAACIc1IweEIAAHDiVTB4QgAAWFFZMHhCAABAwFwweEIAACgvYDB4QgAAEJ5jMHhCAAD4DGcweEIAAOB7ajB4QgAAyOptMHhCAACwWXEweEIAAJjIdDB4QgAAgDd4MHhCAABopnsweEIAAFAVfzB4QgAAOISCMHhCAAAg84UweEIAAAhiiTB4QgAA8NCMMHhCAADYP5AweEIAAMCukzB4QgAAqB2XMHhCAACQjJoweEIAAHj7nTB4QgAAYGqhMHhCAABI2aQweEIAADBIqDB4QgAAGLerMHhCAAAAJq8weEIAAOiUsjB4QgAA0AO2MHhCAAC4crkweEIAAKDhvDB4QgAAiFDAMHhCAABwv8MweEIAAFguxzB4QgAAQJ3KMHhCAAAoDM4weEIAABB70TB4QgAA+OnUMHhCAADgWNgweEIAAMjH2zB4QgAAsDbfMHhCAACYpeIweEIAAIAU5jB4QgAAaIPpMHhCAABQ8uwweEIAADhh8DB4QgAAINDzMHhCAAAIP/cweEIAAPCt+jB4QgAA2Bz+MHhCAADAiwExeEIAAKj6BDF4QgAAkGkIMXhCAAB42AsxeEIAAGBHDzF4QgAASLYSMXhCAAAwJRYxeEIAABiUGTF4QgAAAAMdMXhCAADocSAxeEIAANDgIzF4QgAAuE8nMXhCAACgvioxeEIAAIgtLjF4QgAAcJwxMXhCAABYCzUxeEIAAEB6ODF4QgAAKOk7MXhCAAAQWD8xeEIAAPjGQjF4QgAA4DVGMXhCAADIpEkxeEIAALATTTF4QgAAmIJQMXhCAACA8VMxeEIAAGhgVzF4QgAAUM9aMXhCAAA4Pl4xeEIAACCtYTF4QgAACBxlMXhCAADwimgxeEIAANj5azF4QgAAwGhvMXhCAACo13IxeEIAAJBGdjF4QgAAeLV5MXhCAABgJH0xeEIAAEiTgDF4QgAAMAKEMXhCAAAYcYcxeEIAAADgijF4QgAA6E6OMXhCAADQvZExeEIAALgslTF4QgAAoJuYMXhCAACICpwxeEIAAHB5nzF4QgAAWOiiMXhCAABAV6YxeEIAACjGqTF4QgAAEDWtMXhCAAD4o7AxeEIAAOAStDF4QgAAyIG3MXhCAACw8LoxeEIAAJhfvjF4QgAAgM7BMXhCAABoPcUxeEIAAFCsyDF4QgAAOBvMMXhCAAAgis8xeEIAAAj50jF4QgAA8GfWMXhCAADY1tkxeEIAAMBF3TF4QgAAqLTgMXhCAACQI+QxeEI=\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[169]},\"index\":[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168],\"residual\":[-2,1,-3,3,-2,-3,6,7,-4,0,0,0,-1,1,0,2,-5,0,-2,-2,3,3,1,0,-1,-4,3,-7,4,4,-4,-17,7,-2,4,-2,7,-1,0,0,5,0,4,4,0,-8,0,0,5,3,0,5,0,-3,-4,8,0,6,-9,-3,-7,-2,4,-5,5,0,0,-1,-5,8,-10,1,7,0,4,-3,-6,8,-4,7,-7,-8,6,12,-5,5,-8,1,-4,0,-4,-1,0,-5,15,-4,-4,0,0,-4,7,5,0,-6,8,3,1,-4,3,-3,3,0,-10,4,5,-3,3,3,-1,5,3,-7,-7,0,6,-6,10,-12,5,-1,-7,0,1,0,-4,1,-3,-6,0,8,-5,3,0,-1,4,5,5,2,-6,1,-6,10,-6,1,3,0,-1,0,2,0,7,2,-1,-4,2,-3,-1,0,-4],\"score\":{\"__ndarray__\":\"oh0zay8p278V3LoTW73JPximcd6RQOS/k+WeFkvH4z+iHTNrLynbvximcd6RQOS/tZWTyJzl8z9Zof/cmTv3P1+9SQeM7Oq/FCGw9LFRfr8UIbD0sVF+vxQhsPSxUX6/Jt4FM3aiy78V3LoTW73JPxQhsPSxUX6/mZyN26E22j9T6hAYQ8zwvxQhsPSxUX6/oh0zay8p27+iHTNrLynbv5PlnhZLx+M/k+WeFkvH4z8V3LoTW73JPxQhsPSxUX6/Jt4FM3aiy79fvUkHjOzqv5PlnhZLx+M/mgHpQD1497/b/HY/RXPqP9v8dj9Fc+o/X71JB4zs6r8Au5AGEGoMwFmh/9yZO/c/oh0zay8p27/b/HY/RXPqP6IdM2svKdu/WaH/3Jk79z8m3gUzdqLLvxQhsPSxUX6/FCGw9LFRfr8Riie0n4/wPxQhsPSxUX6/2/x2P0Vz6j/b/HY/RXPqPxQhsPSxUX6/Pg1VVTrO+r8UIbD0sVF+vxQhsPSxUX6/EYontJ+P8D+T5Z4WS8fjPxQhsPSxUX6/EYontJ+P8D8UIbD0sVF+vximcd6RQOS/X71JB4zs6r/8rGvxlpH6PxQhsPSxUX6/tZWTyJzl8z/iGMFpNyT+vximcd6RQOS/mgHpQD1497+iHTNrLynbv9v8dj9Fc+o/U+oQGEPM8L8Riie0n4/wPxQhsPSxUX6/FCGw9LFRfr8m3gUzdqLLv1PqEBhDzPC//Kxr8ZaR+j9DkhY/Gr0AwBXcuhNbvck/WaH/3Jk79z8UIbD0sVF+v9v8dj9Fc+o/GKZx3pFA5L/39XwsQCL0v/ysa/GWkfo/X71JB4zs6r9Zof/cmTv3P5oB6UA9ePe/Pg1VVTrO+r+1lZPInOXzP8btjaHF9ANAU+oQGEPM8L8Riie0n4/wPz4NVVU6zvq/Fdy6E1u9yT9fvUkHjOzqvxQhsPSxUX6/X71JB4zs6r8m3gUzdqLLvxQhsPSxUX6/U+oQGEPM8L87/y9AwfUIQF+9SQeM7Oq/X71JB4zs6r8UIbD0sVF+vxQhsPSxUX6/X71JB4zs6r9Zof/cmTv3PxGKJ7Sfj/A/FCGw9LFRfr/39XwsQCL0v/ysa/GWkfo/k+WeFkvH4z8V3LoTW73JP1+9SQeM7Oq/k+WeFkvH4z8YpnHekUDkv5PlnhZLx+M/FCGw9LFRfr9DkhY/Gr0AwNv8dj9Fc+o/EYontJ+P8D8YpnHekUDkv5PlnhZLx+M/k+WeFkvH4z8m3gUzdqLLvxGKJ7Sfj/A/k+WeFkvH4z+aAelAPXj3v5oB6UA9ePe/FCGw9LFRfr+1lZPInOXzP/f1fCxAIvS/IuIhjcieAEDmnYJTFxMEwBGKJ7Sfj/A/Jt4FM3aiy7+aAelAPXj3vxQhsPSxUX6/Fdy6E1u9yT8UIbD0sVF+v1+9SQeM7Oq/Fdy6E1u9yT8YpnHekUDkv/f1fCxAIvS/FCGw9LFRfr/8rGvxlpH6P1PqEBhDzPC/k+WeFkvH4z8UIbD0sVF+vybeBTN2osu/2/x2P0Vz6j8Riie0n4/wPxGKJ7Sfj/A/mZyN26E22j/39XwsQCL0vxXcuhNbvck/9/V8LEAi9L8i4iGNyJ4AQPf1fCxAIvS/Fdy6E1u9yT+T5Z4WS8fjPxQhsPSxUX6/Jt4FM3aiy78UIbD0sVF+v5mcjduhNto/FCGw9LFRfr9Zof/cmTv3P5mcjduhNto/Jt4FM3aiy79fvUkHjOzqv5mcjduhNto/GKZx3pFA5L8m3gUzdqLLvxQhsPSxUX6/X71JB4zs6r8=\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[169]},\"seasonal\":[-14,4,-4,8,-7,-4,5,5,-1,20,1,-11,-3,-6,2,-7,0,-8,-1,0,0,9,1,5,-7,4,-2,4,-4,-1,2,8,0,19,0,-7,-5,-7,-1,-8,-2,-7,-2,-2,-2,9,2,5,-2,3,-1,1,-1,1,0,10,3,17,-1,-4,-6,-7,-5,-10,-4,-5,-3,-3,-4,10,3,5,3,3,0,-1,0,2,-1,13,6,16,-3,-1,-7,-8,-8,-11,-6,-4,-5,-4,-6,11,3,6,4,3,0,-1,1,0,1,17,6,17,-4,0,-4,-7,-9,-11,-4,-4,-7,-4,-5,10,1,5,1,3,-1,-1,0,-4,3,21,5,17,-4,0,-2,-7,-10,-10,-1,-4,-9,-5,-4,9,0,5,-2,4,-1,0,0,-8,5,25,5,18,-5,-1,0,-7,-11,-9,3,-4,-11,-5,-2,8,-4,5,-7],\"trend\":[34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,35,35,35,35,35,35,35,35,35,35,36,36,36,36,36,36,36,36,35,35,35,35,35,35,35,35,34,34,34,34,34,34,34,34,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,32,32,32,32,32,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,34,34,34,34,33,33,33,33,33,33,33,33,33,33,33,32,32,32,32,32,32,32,32,32,32,32,32,32,33,33,33,33,33,33,33,33,33,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34],\"weights\":[1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},\"selected\":{\"id\":\"8428\"},\"selection_policy\":{\"id\":\"8427\"}},\"id\":\"8347\",\"type\":\"ColumnDataSource\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.2},\"fill_color\":{\"value\":\"blue\"},\"hatch_alpha\":{\"value\":0.2},\"hatch_color\":{\"value\":\"blue\"},\"line_alpha\":{\"value\":0.2},\"line_color\":{\"value\":\"blue\"},\"x\":{\"field\":\"date_clock\"},\"y\":{\"field\":\"score\"}},\"id\":\"8555\",\"type\":\"Circle\"},{\"attributes\":{},\"id\":\"8537\",\"type\":\"DataRange1d\"},{\"attributes\":{\"coordinates\":null,\"formatter\":{\"id\":\"8549\"},\"group\":null,\"major_label_policy\":{\"id\":\"8571\"},\"ticker\":{\"id\":\"8544\"}},\"id\":\"8543\",\"type\":\"DatetimeAxis\"},{\"attributes\":{},\"id\":\"8539\",\"type\":\"LinearScale\"},{\"attributes\":{\"coordinates\":null,\"group\":null,\"text\":\"Range Selector\"},\"id\":\"8533\",\"type\":\"Title\"},{\"attributes\":{\"num_minor_ticks\":5,\"tickers\":[{\"id\":\"8592\"},{\"id\":\"8593\"},{\"id\":\"8594\"},{\"id\":\"8595\"},{\"id\":\"8596\"},{\"id\":\"8597\"},{\"id\":\"8598\"},{\"id\":\"8599\"},{\"id\":\"8600\"},{\"id\":\"8601\"},{\"id\":\"8602\"},{\"id\":\"8603\"}]},\"id\":\"8544\",\"type\":\"DatetimeTicker\"},{\"attributes\":{\"axis\":{\"id\":\"8543\"},\"coordinates\":null,\"group\":null,\"ticker\":null},\"id\":\"8546\",\"type\":\"Grid\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.1},\"fill_color\":{\"value\":\"blue\"},\"hatch_alpha\":{\"value\":0.1},\"hatch_color\":{\"value\":\"blue\"},\"line_alpha\":{\"value\":0.1},\"line_color\":{\"value\":\"blue\"},\"x\":{\"field\":\"date_clock\"},\"y\":{\"field\":\"score\"}},\"id\":\"8554\",\"type\":\"Circle\"},{\"attributes\":{},\"id\":\"8541\",\"type\":\"LinearScale\"},{\"attributes\":{\"overlay\":{\"id\":\"8559\"},\"x_range\":{\"id\":\"8383\"},\"y_range\":null},\"id\":\"8558\",\"type\":\"RangeTool\"},{\"attributes\":{\"source\":{\"id\":\"8551\"}},\"id\":\"8557\",\"type\":\"CDSView\"},{\"attributes\":{\"bottom_units\":\"screen\",\"coordinates\":null,\"fill_alpha\":0.5,\"fill_color\":\"lightgrey\",\"group\":null,\"left_units\":\"screen\",\"level\":\"overlay\",\"line_alpha\":1.0,\"line_color\":\"black\",\"line_dash\":[4,4],\"line_width\":2,\"right_units\":\"screen\",\"syncable\":false,\"top_units\":\"screen\"},\"id\":\"8404\",\"type\":\"BoxAnnotation\"},{\"attributes\":{},\"id\":\"8589\",\"type\":\"UnionRenderers\"},{\"attributes\":{\"axis_label\":\"date_clock\",\"coordinates\":null,\"formatter\":{\"id\":\"8412\"},\"group\":null,\"major_label_policy\":{\"id\":\"8426\"},\"ticker\":{\"id\":\"8392\"}},\"id\":\"8391\",\"type\":\"DatetimeAxis\"},{\"attributes\":{\"num_minor_ticks\":10,\"tickers\":[{\"id\":\"8430\"},{\"id\":\"8431\"},{\"id\":\"8432\"},{\"id\":\"8433\"},{\"id\":\"8434\"},{\"id\":\"8435\"},{\"id\":\"8436\"},{\"id\":\"8437\"},{\"id\":\"8438\"},{\"id\":\"8439\"},{\"id\":\"8440\"},{\"id\":\"8441\"}]},\"id\":\"8392\",\"type\":\"DatetimeTicker\"},{\"attributes\":{},\"id\":\"8424\",\"type\":\"AllLabels\"},{\"attributes\":{\"base\":60,\"mantissas\":[1,2,5,10,15,20,30],\"max_interval\":1800000.0,\"min_interval\":1000.0,\"num_minor_ticks\":0},\"id\":\"8593\",\"type\":\"AdaptiveTicker\"},{\"attributes\":{},\"id\":\"8426\",\"type\":\"AllLabels\"},{\"attributes\":{\"dimensions\":\"width\"},\"id\":\"8403\",\"type\":\"PanTool\"},{\"attributes\":{\"dimensions\":\"width\"},\"id\":\"8399\",\"type\":\"WheelZoomTool\"},{\"attributes\":{\"base\":24,\"mantissas\":[1,2,4,6,8,12],\"max_interval\":43200000.0,\"min_interval\":3600000.0,\"num_minor_ticks\":0},\"id\":\"8594\",\"type\":\"AdaptiveTicker\"},{\"attributes\":{},\"id\":\"8402\",\"type\":\"SaveTool\"},{\"attributes\":{\"axis_label\":\"count\",\"coordinates\":null,\"formatter\":{\"id\":\"8414\"},\"group\":null,\"major_label_policy\":{\"id\":\"8424\"},\"ticker\":{\"id\":\"8396\"}},\"id\":\"8395\",\"type\":\"LinearAxis\"},{\"attributes\":{},\"id\":\"8427\",\"type\":\"UnionRenderers\"},{\"attributes\":{},\"id\":\"8590\",\"type\":\"Selection\"},{\"attributes\":{},\"id\":\"8428\",\"type\":\"Selection\"},{\"attributes\":{\"overlay\":{\"id\":\"8404\"}},\"id\":\"8400\",\"type\":\"BoxZoomTool\"},{\"attributes\":{\"line_alpha\":0.1,\"line_color\":\"green\",\"x\":{\"field\":\"date_clock\"},\"y\":{\"field\":\"baseline\"}},\"id\":\"8446\",\"type\":\"Line\"},{\"attributes\":{\"axis\":{\"id\":\"8395\"},\"coordinates\":null,\"dimension\":1,\"grid_line_color\":null,\"group\":null,\"ticker\":null},\"id\":\"8398\",\"type\":\"Grid\"},{\"attributes\":{\"coordinates\":null,\"data_source\":{\"id\":\"8347\"},\"glyph\":{\"id\":\"8445\"},\"group\":null,\"hover_glyph\":null,\"muted_glyph\":{\"id\":\"8447\"},\"nonselection_glyph\":{\"id\":\"8446\"},\"view\":{\"id\":\"8449\"}},\"id\":\"8448\",\"type\":\"GlyphRenderer\"},{\"attributes\":{\"days\":[1,4,7,10,13,16,19,22,25,28]},\"id\":\"8596\",\"type\":\"DaysTicker\"},{\"attributes\":{},\"id\":\"8389\",\"type\":\"LinearScale\"},{\"attributes\":{\"source\":{\"id\":\"8347\"}},\"id\":\"8449\",\"type\":\"CDSView\"},{\"attributes\":{\"line_color\":\"green\",\"x\":{\"field\":\"date_clock\"},\"y\":{\"field\":\"baseline\"}},\"id\":\"8445\",\"type\":\"Line\"},{\"attributes\":{\"line_alpha\":0.2,\"line_color\":\"green\",\"x\":{\"field\":\"date_clock\"},\"y\":{\"field\":\"baseline\"}},\"id\":\"8447\",\"type\":\"Line\"},{\"attributes\":{\"data\":{\"baseline\":[36],\"count\":[52],\"date_clock\":{\"__ndarray__\":\"AACAFOYweEI=\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[1]},\"index\":[94],\"level_0\":[0],\"residual\":[15],\"score\":{\"__ndarray__\":\"O/8vQMH1CEA=\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[1]},\"seasonal\":[3],\"trend\":[33],\"weights\":[1]},\"selected\":{\"id\":\"8486\"},\"selection_policy\":{\"id\":\"8485\"}},\"id\":\"8471\",\"type\":\"ColumnDataSource\"},{\"attributes\":{\"mantissas\":[1,2,5],\"max_interval\":500.0,\"num_minor_ticks\":0},\"id\":\"8592\",\"type\":\"AdaptiveTicker\"},{\"attributes\":{\"below\":[{\"id\":\"8391\"}],\"center\":[{\"id\":\"8394\"},{\"id\":\"8398\"},{\"id\":\"8442\"}],\"height\":300,\"left\":[{\"id\":\"8395\"}],\"min_border_left\":50,\"renderers\":[{\"id\":\"8420\"},{\"id\":\"8448\"},{\"id\":\"8476\"}],\"title\":{\"id\":\"8381\"},\"toolbar\":{\"id\":\"8405\"},\"toolbar_location\":\"above\",\"width\":1200,\"x_range\":{\"id\":\"8383\"},\"x_scale\":{\"id\":\"8387\"},\"y_range\":{\"id\":\"8385\"},\"y_scale\":{\"id\":\"8389\"}},\"id\":\"8380\",\"subtype\":\"Figure\",\"type\":\"Plot\"},{\"attributes\":{\"coordinates\":null,\"data_source\":{\"id\":\"8551\"},\"glyph\":{\"id\":\"8553\"},\"group\":null,\"hover_glyph\":null,\"muted_glyph\":{\"id\":\"8555\"},\"nonselection_glyph\":{\"id\":\"8554\"},\"view\":{\"id\":\"8557\"}},\"id\":\"8556\",\"type\":\"GlyphRenderer\"},{\"attributes\":{\"label\":{\"value\":\"baseline\"},\"renderers\":[{\"id\":\"8448\"}]},\"id\":\"8470\",\"type\":\"LegendItem\"},{\"attributes\":{\"days\":[1,8,15,22]},\"id\":\"8597\",\"type\":\"DaysTicker\"},{\"attributes\":{\"base\":60,\"mantissas\":[1,2,5,10,15,20,30],\"max_interval\":1800000.0,\"min_interval\":1000.0,\"num_minor_ticks\":0},\"id\":\"8431\",\"type\":\"AdaptiveTicker\"},{\"attributes\":{\"base\":24,\"mantissas\":[1,2,4,6,8,12],\"max_interval\":43200000.0,\"min_interval\":3600000.0,\"num_minor_ticks\":0},\"id\":\"8432\",\"type\":\"AdaptiveTicker\"},{\"attributes\":{\"days\":[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31]},\"id\":\"8595\",\"type\":\"DaysTicker\"},{\"attributes\":{\"months\":[0,4,8]},\"id\":\"8439\",\"type\":\"MonthsTicker\"},{\"attributes\":{\"fill_color\":{\"value\":\"#1f77b4\"},\"line_color\":{\"value\":\"navy\"},\"x\":{\"field\":\"date_clock\"},\"y\":{\"field\":\"count\"}},\"id\":\"8417\",\"type\":\"Circle\"},{\"attributes\":{\"months\":[0,1,2,3,4,5,6,7,8,9,10,11]},\"id\":\"8437\",\"type\":\"MonthsTicker\"},{\"attributes\":{\"days\":[1,15]},\"id\":\"8436\",\"type\":\"DaysTicker\"},{\"attributes\":{},\"id\":\"8401\",\"type\":\"ResetTool\"},{\"attributes\":{\"days\":[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31]},\"id\":\"8433\",\"type\":\"DaysTicker\"},{\"attributes\":{\"days\":[1,4,7,10,13,16,19,22,25,28]},\"id\":\"8434\",\"type\":\"DaysTicker\"},{\"attributes\":{\"days\":[1,8,15,22]},\"id\":\"8435\",\"type\":\"DaysTicker\"},{\"attributes\":{\"axis\":{\"id\":\"8391\"},\"coordinates\":null,\"grid_line_color\":null,\"group\":null,\"ticker\":null},\"id\":\"8394\",\"type\":\"Grid\"},{\"attributes\":{\"tools\":[{\"id\":\"8348\"},{\"id\":\"8399\"},{\"id\":\"8400\"},{\"id\":\"8401\"},{\"id\":\"8402\"},{\"id\":\"8403\"}]},\"id\":\"8405\",\"type\":\"Toolbar\"},{\"attributes\":{\"months\":[0,2,4,6,8,10]},\"id\":\"8438\",\"type\":\"MonthsTicker\"},{\"attributes\":{},\"id\":\"8396\",\"type\":\"BasicTicker\"},{\"attributes\":{\"months\":[0,1,2,3,4,5,6,7,8,9,10,11]},\"id\":\"8599\",\"type\":\"MonthsTicker\"},{\"attributes\":{},\"id\":\"8603\",\"type\":\"YearsTicker\"},{\"attributes\":{\"days\":[1,15]},\"id\":\"8598\",\"type\":\"DaysTicker\"},{\"attributes\":{\"months\":[0,6]},\"id\":\"8602\",\"type\":\"MonthsTicker\"},{\"attributes\":{\"end\":1662690240000.0,\"start\":1662024960000.0},\"id\":\"8383\",\"type\":\"Range1d\"},{\"attributes\":{\"months\":[0,2,4,6,8,10]},\"id\":\"8600\",\"type\":\"MonthsTicker\"},{\"attributes\":{\"align\":\"right\",\"coordinates\":null,\"group\":null,\"text\":\"Drag the middle or edges of the selection box to change the range in the main chart\",\"text_font_size\":\"10px\"},\"id\":\"8548\",\"type\":\"Title\"},{\"attributes\":{\"months\":[0,4,8]},\"id\":\"8601\",\"type\":\"MonthsTicker\"},{\"attributes\":{},\"id\":\"8486\",\"type\":\"Selection\"},{\"attributes\":{\"format\":\"00\"},\"id\":\"8414\",\"type\":\"NumeralTickFormatter\"},{\"attributes\":{\"label\":{\"value\":\"anomalies\"},\"renderers\":[{\"id\":\"8476\"}]},\"id\":\"8500\",\"type\":\"LegendItem\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.2},\"fill_color\":{\"value\":\"firebrick\"},\"hatch_color\":{\"value\":\"firebrick\"},\"line_color\":{\"value\":\"firebrick\"},\"marker\":{\"value\":\"circle_x\"},\"size\":{\"value\":12},\"x\":{\"field\":\"date_clock\"},\"y\":{\"field\":\"count\"}},\"id\":\"8473\",\"type\":\"Scatter\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.2},\"fill_color\":{\"value\":\"firebrick\"},\"hatch_alpha\":{\"value\":0.2},\"hatch_color\":{\"value\":\"firebrick\"},\"line_alpha\":{\"value\":0.2},\"line_color\":{\"value\":\"firebrick\"},\"marker\":{\"value\":\"circle_x\"},\"size\":{\"value\":12},\"x\":{\"field\":\"date_clock\"},\"y\":{\"field\":\"count\"}},\"id\":\"8475\",\"type\":\"Scatter\"},{\"attributes\":{\"coordinates\":null,\"group\":null,\"text\":\"Time Series Anomalies Visualization\"},\"id\":\"8381\",\"type\":\"Title\"},{\"attributes\":{},\"id\":\"8387\",\"type\":\"LinearScale\"},{\"attributes\":{},\"id\":\"8485\",\"type\":\"UnionRenderers\"},{\"attributes\":{\"source\":{\"id\":\"8471\"}},\"id\":\"8477\",\"type\":\"CDSView\"},{\"attributes\":{},\"id\":\"8571\",\"type\":\"AllLabels\"},{\"attributes\":{\"coordinates\":null,\"data_source\":{\"id\":\"8471\"},\"glyph\":{\"id\":\"8473\"},\"group\":null,\"hover_glyph\":null,\"muted_glyph\":{\"id\":\"8475\"},\"nonselection_glyph\":{\"id\":\"8474\"},\"view\":{\"id\":\"8477\"}},\"id\":\"8476\",\"type\":\"GlyphRenderer\"},{\"attributes\":{\"days\":[\"%m-%d %H:%M\"],\"hours\":[\"%H:%M:%S\"],\"milliseconds\":[\"%H:%M:%S.%3N\"],\"minutes\":[\"%H:%M:%S\"],\"seconds\":[\"%H:%M:%S\"]},\"id\":\"8412\",\"type\":\"DatetimeTickFormatter\"},{\"attributes\":{\"fill_alpha\":{\"value\":0.1},\"fill_color\":{\"value\":\"firebrick\"},\"hatch_alpha\":{\"value\":0.1},\"hatch_color\":{\"value\":\"firebrick\"},\"line_alpha\":{\"value\":0.1},\"line_color\":{\"value\":\"firebrick\"},\"marker\":{\"value\":\"circle_x\"},\"size\":{\"value\":12},\"x\":{\"field\":\"date_clock\"},\"y\":{\"field\":\"count\"}},\"id\":\"8474\",\"type\":\"Scatter\"},{\"attributes\":{\"days\":[\"%m-%d %H:%M\"],\"hours\":[\"%H:%M:%S\"],\"milliseconds\":[\"%H:%M:%S.%3N\"],\"minutes\":[\"%H:%M:%S\"],\"seconds\":[\"%H:%M:%S\"]},\"id\":\"8549\",\"type\":\"DatetimeTickFormatter\"},{\"attributes\":{\"fill_color\":{\"value\":\"blue\"},\"hatch_color\":{\"value\":\"blue\"},\"line_color\":{\"value\":\"blue\"},\"x\":{\"field\":\"date_clock\"},\"y\":{\"field\":\"score\"}},\"id\":\"8553\",\"type\":\"Circle\"},{\"attributes\":{\"data\":{\"anomalies\":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],\"baseline\":[19,38,29,42,26,29,39,40,32,54,35,23,30,27,36,27,34,25,33,33,34,43,35,40,26,38,31,39,30,33,37,43,36,54,35,28,30,28,34,26,33,28,33,34,33,46,38,41,33,39,34,36,33,36,35,45,38,52,33,30,28,26,29,23,29,28,29,30,28,43,36,39,36,36,33,31,34,35,31,46,39,49,29,31,25,24,24,21,26,28,27,28,26,44,36,39,38,36,32,32,34,32,34,50,40,50,29,33,29,26,24,22,29,29,26,29,27,44,34,38,34,36,31,31,33,28,35,54,38,50,28,31,30,25,22,22,32,29,24,28,29,43,33,39,31,38,32,33,34,25,40,60,39,52,29,33,35,27,23,24,38,30,23,29,32,43,30,40,27],\"count\":[17,40,26,46,24,26,46,48,28,55,35,24,29,29,36,30,29,25,31,31,38,47,37,40,25,34,35,32,35,38,33,26,44,52,40,26,38,27,34,26,39,29,38,39,33,38,39,42,39,43,35,42,34,33,31,54,38,59,24,27,21,24,34,18,35,29,29,29,23,52,26,41,44,37,38,28,28,44,27,54,32,41,36,44,20,30,16,23,22,28,23,27,26,39,52,35,34,37,32,28,42,38,34,44,49,54,31,29,33,23,28,22,19,34,32,26,31,48,33,44,38,29,24,32,40,22,46,42,44,49,21,31,32,25,18,24,29,23,24,37,24,47,33,38,36,44,38,36,28,27,34,71,33,54,33,34,34,28,26,24,46,33,22,25,35,40,29,40,23],\"date_clock\":{\"__ndarray__\":\"AABQW6MveEIAADjKpi94QgAAIDmqL3hCAAAIqK0veEIAAPAWsS94QgAA2IW0L3hCAADA9LcveEIAAKhjuy94QgAAkNK+L3hCAAB4QcIveEIAAGCwxS94QgAASB/JL3hCAAAwjswveEIAABj9zy94QgAAAGzTL3hCAADo2tYveEIAANBJ2i94QgAAuLjdL3hCAACgJ+EveEIAAIiW5C94QgAAcAXoL3hCAABYdOsveEIAAEDj7i94QgAAKFLyL3hCAAAQwfUveEIAAPgv+S94QgAA4J78L3hCAADIDQAweEIAALB8AzB4QgAAmOsGMHhCAACAWgoweEIAAGjJDTB4QgAAUDgRMHhCAAA4pxQweEIAACAWGDB4QgAACIUbMHhCAADw8x4weEIAANhiIjB4QgAAwNElMHhCAACoQCkweEIAAJCvLDB4QgAAeB4wMHhCAABgjTMweEIAAEj8NjB4QgAAMGs6MHhCAAAY2j0weEIAAABJQTB4QgAA6LdEMHhCAADQJkgweEIAALiVSzB4QgAAoARPMHhCAACIc1IweEIAAHDiVTB4QgAAWFFZMHhCAABAwFwweEIAACgvYDB4QgAAEJ5jMHhCAAD4DGcweEIAAOB7ajB4QgAAyOptMHhCAACwWXEweEIAAJjIdDB4QgAAgDd4MHhCAABopnsweEIAAFAVfzB4QgAAOISCMHhCAAAg84UweEIAAAhiiTB4QgAA8NCMMHhCAADYP5AweEIAAMCukzB4QgAAqB2XMHhCAACQjJoweEIAAHj7nTB4QgAAYGqhMHhCAABI2aQweEIAADBIqDB4QgAAGLerMHhCAAAAJq8weEIAAOiUsjB4QgAA0AO2MHhCAAC4crkweEIAAKDhvDB4QgAAiFDAMHhCAABwv8MweEIAAFguxzB4QgAAQJ3KMHhCAAAoDM4weEIAABB70TB4QgAA+OnUMHhCAADgWNgweEIAAMjH2zB4QgAAsDbfMHhCAACYpeIweEIAAIAU5jB4QgAAaIPpMHhCAABQ8uwweEIAADhh8DB4QgAAINDzMHhCAAAIP/cweEIAAPCt+jB4QgAA2Bz+MHhCAADAiwExeEIAAKj6BDF4QgAAkGkIMXhCAAB42AsxeEIAAGBHDzF4QgAASLYSMXhCAAAwJRYxeEIAABiUGTF4QgAAAAMdMXhCAADocSAxeEIAANDgIzF4QgAAuE8nMXhCAACgvioxeEIAAIgtLjF4QgAAcJwxMXhCAABYCzUxeEIAAEB6ODF4QgAAKOk7MXhCAAAQWD8xeEIAAPjGQjF4QgAA4DVGMXhCAADIpEkxeEIAALATTTF4QgAAmIJQMXhCAACA8VMxeEIAAGhgVzF4QgAAUM9aMXhCAAA4Pl4xeEIAACCtYTF4QgAACBxlMXhCAADwimgxeEIAANj5azF4QgAAwGhvMXhCAACo13IxeEIAAJBGdjF4QgAAeLV5MXhCAABgJH0xeEIAAEiTgDF4QgAAMAKEMXhCAAAYcYcxeEIAAADgijF4QgAA6E6OMXhCAADQvZExeEIAALgslTF4QgAAoJuYMXhCAACICpwxeEIAAHB5nzF4QgAAWOiiMXhCAABAV6YxeEIAACjGqTF4QgAAEDWtMXhCAAD4o7AxeEIAAOAStDF4QgAAyIG3MXhCAACw8LoxeEIAAJhfvjF4QgAAgM7BMXhCAABoPcUxeEIAAFCsyDF4QgAAOBvMMXhCAAAgis8xeEIAAAj50jF4QgAA8GfWMXhCAADY1tkxeEIAAMBF3TF4QgAAqLTgMXhCAACQI+QxeEI=\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[169]},\"index\":[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168],\"residual\":[-2,1,-3,3,-2,-3,6,7,-4,0,0,0,-1,1,0,2,-5,0,-2,-2,3,3,1,0,-1,-4,3,-7,4,4,-4,-17,7,-2,4,-2,7,-1,0,0,5,0,4,4,0,-8,0,0,5,3,0,5,0,-3,-4,8,0,6,-9,-3,-7,-2,4,-5,5,0,0,-1,-5,8,-10,1,7,0,4,-3,-6,8,-4,7,-7,-8,6,12,-5,5,-8,1,-4,0,-4,-1,0,-5,15,-4,-4,0,0,-4,7,5,0,-6,8,3,1,-4,3,-3,3,0,-10,4,5,-3,3,3,-1,5,3,-7,-7,0,6,-6,10,-12,5,-1,-7,0,1,0,-4,1,-3,-6,0,8,-5,3,0,-1,4,5,5,2,-6,1,-6,10,-6,1,3,0,-1,0,2,0,7,2,-1,-4,2,-3,-1,0,-4],\"score\":{\"__ndarray__\":\"oh0zay8p278V3LoTW73JPximcd6RQOS/k+WeFkvH4z+iHTNrLynbvximcd6RQOS/tZWTyJzl8z9Zof/cmTv3P1+9SQeM7Oq/FCGw9LFRfr8UIbD0sVF+vxQhsPSxUX6/Jt4FM3aiy78V3LoTW73JPxQhsPSxUX6/mZyN26E22j9T6hAYQ8zwvxQhsPSxUX6/oh0zay8p27+iHTNrLynbv5PlnhZLx+M/k+WeFkvH4z8V3LoTW73JPxQhsPSxUX6/Jt4FM3aiy79fvUkHjOzqv5PlnhZLx+M/mgHpQD1497/b/HY/RXPqP9v8dj9Fc+o/X71JB4zs6r8Au5AGEGoMwFmh/9yZO/c/oh0zay8p27/b/HY/RXPqP6IdM2svKdu/WaH/3Jk79z8m3gUzdqLLvxQhsPSxUX6/FCGw9LFRfr8Riie0n4/wPxQhsPSxUX6/2/x2P0Vz6j/b/HY/RXPqPxQhsPSxUX6/Pg1VVTrO+r8UIbD0sVF+vxQhsPSxUX6/EYontJ+P8D+T5Z4WS8fjPxQhsPSxUX6/EYontJ+P8D8UIbD0sVF+vximcd6RQOS/X71JB4zs6r/8rGvxlpH6PxQhsPSxUX6/tZWTyJzl8z/iGMFpNyT+vximcd6RQOS/mgHpQD1497+iHTNrLynbv9v8dj9Fc+o/U+oQGEPM8L8Riie0n4/wPxQhsPSxUX6/FCGw9LFRfr8m3gUzdqLLv1PqEBhDzPC//Kxr8ZaR+j9DkhY/Gr0AwBXcuhNbvck/WaH/3Jk79z8UIbD0sVF+v9v8dj9Fc+o/GKZx3pFA5L/39XwsQCL0v/ysa/GWkfo/X71JB4zs6r9Zof/cmTv3P5oB6UA9ePe/Pg1VVTrO+r+1lZPInOXzP8btjaHF9ANAU+oQGEPM8L8Riie0n4/wPz4NVVU6zvq/Fdy6E1u9yT9fvUkHjOzqvxQhsPSxUX6/X71JB4zs6r8m3gUzdqLLvxQhsPSxUX6/U+oQGEPM8L87/y9AwfUIQF+9SQeM7Oq/X71JB4zs6r8UIbD0sVF+vxQhsPSxUX6/X71JB4zs6r9Zof/cmTv3PxGKJ7Sfj/A/FCGw9LFRfr/39XwsQCL0v/ysa/GWkfo/k+WeFkvH4z8V3LoTW73JP1+9SQeM7Oq/k+WeFkvH4z8YpnHekUDkv5PlnhZLx+M/FCGw9LFRfr9DkhY/Gr0AwNv8dj9Fc+o/EYontJ+P8D8YpnHekUDkv5PlnhZLx+M/k+WeFkvH4z8m3gUzdqLLvxGKJ7Sfj/A/k+WeFkvH4z+aAelAPXj3v5oB6UA9ePe/FCGw9LFRfr+1lZPInOXzP/f1fCxAIvS/IuIhjcieAEDmnYJTFxMEwBGKJ7Sfj/A/Jt4FM3aiy7+aAelAPXj3vxQhsPSxUX6/Fdy6E1u9yT8UIbD0sVF+v1+9SQeM7Oq/Fdy6E1u9yT8YpnHekUDkv/f1fCxAIvS/FCGw9LFRfr/8rGvxlpH6P1PqEBhDzPC/k+WeFkvH4z8UIbD0sVF+vybeBTN2osu/2/x2P0Vz6j8Riie0n4/wPxGKJ7Sfj/A/mZyN26E22j/39XwsQCL0vxXcuhNbvck/9/V8LEAi9L8i4iGNyJ4AQPf1fCxAIvS/Fdy6E1u9yT+T5Z4WS8fjPxQhsPSxUX6/Jt4FM3aiy78UIbD0sVF+v5mcjduhNto/FCGw9LFRfr9Zof/cmTv3P5mcjduhNto/Jt4FM3aiy79fvUkHjOzqv5mcjduhNto/GKZx3pFA5L8m3gUzdqLLvxQhsPSxUX6/X71JB4zs6r8=\",\"dtype\":\"float64\",\"order\":\"little\",\"shape\":[169]},\"seasonal\":[-14,4,-4,8,-7,-4,5,5,-1,20,1,-11,-3,-6,2,-7,0,-8,-1,0,0,9,1,5,-7,4,-2,4,-4,-1,2,8,0,19,0,-7,-5,-7,-1,-8,-2,-7,-2,-2,-2,9,2,5,-2,3,-1,1,-1,1,0,10,3,17,-1,-4,-6,-7,-5,-10,-4,-5,-3,-3,-4,10,3,5,3,3,0,-1,0,2,-1,13,6,16,-3,-1,-7,-8,-8,-11,-6,-4,-5,-4,-6,11,3,6,4,3,0,-1,1,0,1,17,6,17,-4,0,-4,-7,-9,-11,-4,-4,-7,-4,-5,10,1,5,1,3,-1,-1,0,-4,3,21,5,17,-4,0,-2,-7,-10,-10,-1,-4,-9,-5,-4,9,0,5,-2,4,-1,0,0,-8,5,25,5,18,-5,-1,0,-7,-11,-9,3,-4,-11,-5,-2,8,-4,5,-7],\"trend\":[34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,35,35,35,35,35,35,35,35,35,35,36,36,36,36,36,36,36,36,35,35,35,35,35,35,35,35,34,34,34,34,34,34,34,34,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,32,32,32,32,32,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,34,34,34,34,33,33,33,33,33,33,33,33,33,33,33,32,32,32,32,32,32,32,32,32,32,32,32,32,33,33,33,33,33,33,33,33,33,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34,34],\"weights\":[1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},\"selected\":{\"id\":\"8590\"},\"selection_policy\":{\"id\":\"8589\"}},\"id\":\"8551\",\"type\":\"ColumnDataSource\"},{\"attributes\":{\"active_multi\":{\"id\":\"8558\"},\"tools\":[{\"id\":\"8558\"}]},\"id\":\"8547\",\"type\":\"Toolbar\"},{\"attributes\":{},\"id\":\"8385\",\"type\":\"DataRange1d\"}],\"root_ids\":[\"8563\"]},\"title\":\"Bokeh Application\",\"version\":\"2.4.2\"}};\n  const render_items = [{\"docid\":\"70465022-a210-4640-b276-2bf87def5374\",\"root_ids\":[\"8563\"],\"roots\":{\"8563\":\"33e232ab-a5ae-4857-bd62-01520a0427ac\"}}];\n  root.Bokeh.embed.embed_items_notebook(docs_json, render_items);\n\n  }\n  if (root.Bokeh !== undefined) {\n    embed_document(root);\n  } else {\n    let attempts = 0;\n    const timer = setInterval(function(root) {\n      if (root.Bokeh !== undefined) {\n        clearInterval(timer);\n        embed_document(root);\n      } else {\n        attempts++;\n        if (attempts > 100) {\n          clearInterval(timer);\n          console.log(\"Bokeh: ERROR: Unable to run BokehJS code because BokehJS library is missing\");\n        }\n      }\n    }, 10, root)\n  }\n})(window);",
650 |       "application/vnd.bokehjs_exec.v0+json": ""
651 |      },
652 |      "metadata": {
653 |       "application/vnd.bokehjs_exec.v0+json": {
654 |        "id": "8563"
655 |       }
656 |      },
657 |      "output_type": "display_data"
658 |     }
659 |    ],
660 |    "source": [
661 |     "from msticpy.nbtools.timeseries import display_timeseries_anomolies\n",
662 |     "\n",
663 |     "# display_timeseries_anomolies関数の使用上、事前に結果のタイムフィールドにdatetime型を適用し、かつ時系列順に並び替える\n",
664 |     "output['date_clock'] = pd.to_datetime(output['date_clock'])\n",
665 |     "output = output.sort_values(by='date_clock')\n",
666 |     "\n",
667 |     "timeseries_anomalies_plot = display_timeseries_anomolies(\n",
668 |     "    data=output, \n",
669 |     "    y='count',\n",
670 |     "    time_column='date_clock'\n",
671 |     "    )"
672 |    ]
673 |   },
674 |   {
675 |    "attachments": {},
676 |    "cell_type": "markdown",
677 |    "metadata": {},
678 |    "source": []
679 |   }
680 |  ],
681 |  "metadata": {
682 |   "kernelspec": {
683 |    "display_name": "Python 3",
684 |    "language": "python",
685 |    "name": "python3"
686 |   },
687 |   "language_info": {
688 |    "codemirror_mode": {
689 |     "name": "ipython",
690 |     "version": 3
691 |    },
692 |    "file_extension": ".py",
693 |    "mimetype": "text/x-python",
694 |    "name": "python",
695 |    "nbconvert_exporter": "python",
696 |    "pygments_lexer": "ipython3",
697 |    "version": "3.9.12"
698 |   },
699 |   "orig_nbformat": 4
700 |  },
701 |  "nbformat": 4,
702 |  "nbformat_minor": 2
703 | }
704 | 


--------------------------------------------------------------------------------