Systems and methods of reconstructing execution call flows to detect anomalies is provided. A device can establish call flows using information extracted from a log file to. Each of the call flows can identify information from the log file of a call flowing through a plurality of modules. The device can identify a count of a number of occurrences of one or more keywords in information of each call flow. The device can generate a vector of numbers for each call flow based at least on the count for the one or more keywords for that call flow. The device can classify each call flow into one or more clusters that indicate whether an operation of the call flow is anomalous. The device can classify each call flow using the vector of numbers for each call flow.