Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is responsive to communications: Application filed on 07/20/2018. Claims 1, 9 and 14 are independent claims. Claims 1-19 have been examined and rejected in the current patent application.
Response to Arguments
Applicant presents the following arguments in the February 16, 2021 amendment.
Applicant's arguments with respect to claims 1, 9 and 14 have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection.  
In view of amendment filed February 16, 2021 to the title, the claim(s) 1, 4 & 8 claim Interpretation under 35 USC§ 112(f) is withdrawn. 
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/16/2021 has been entered. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1, 9 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Yang et al. (US 2014/0164376 A1, hereinafter Yang) in view of Cohen et al. (US 2011/0185234 A1, hereinafter Cohen). 
 	Regarding independent claim(s) 1, Yang discloses a system comprising: a cluster dictionary comprising a plurality of cluster families of event messages, wherein each cluster family includes a plurality of message clusters that overlap each other to be grouped together as a single cluster family; and a processor to (Yang discloses a diagnostic log can include numerous textual event messages pertaining to alerts, crash dumps, and exception tracing, for example, which describe the behavior of a computer system. Locating pertinent information to address a problem can be time consuming, because of the sheer quantity of messages comprising a diagnostic log.  Hierarchical clustering, also known as hierarchical cluster analysis, is an algorithm that groups similar objects into groups called clusters. The endpoint is a set of clusters, where each cluster is distinct from each other cluster, and the objects within each cluster are broadly similar to each other (wherein each cluster family includes a plurality of message clusters that overlap each other to be grouped together as a single cluster family). A set of strings can first be clustered/family based on string length and subsequently each string length cluster can be clustered based on edit distance between strings in the cluster. While edit-distance clustering can be executed on a single computer, it can also be distributed across a plurality of computers. A process running on a processor, a processor, an object, an instance, an executable, a thread of execution, a program, and/or a computer. Cluster analysis or clustering is the task of grouping a set of objects in such a way that objects in the same group (called a cluster) are more similar (in some sense) to each other than to those in other groups (clusters), (see Yang: Para. 0013-0022 and 0028-0046). This reads on the claim concept of a cluster dictionary comprising a plurality of cluster families of event messages, wherein each cluster family includes a plurality of message clusters that overlap each other to be grouped together as a single cluster family; and a processor to):
	 receive a first new log event message associated with a first computer system event log; select a most active cluster family from the plurality of cluster families to compare with the first new event message, wherein the most active cluster family is a cluster family that receives event messages at a highest rate over a predetermined period of time compared to other cluster families (Yang discloses the pre-process component 110 is configured to receive, retrieve, or otherwise obtain or acquire strings and perform a degree of processing thereon. The construction of new events or actions from a set of observed events and/or stored event data. Cluster system 100 is illustrated. The cluster system receives a set of strings as input and outputs a plurality of string clusters. K-means clustering aims to partition "n" strings into "k" clusters where each string belongs to the cluster with the nearest mean. String length clusters can be divided into separate clusters or sub-clusters as a function of an edit-distance for each pair of strings. Strings are assigned to a clusters based on similarity as determined based on a comparison of string lengths, (see Yang: Para. 0013-0020, 022-0028, 0030-0045 and 0048). This reads on the claim concept of receive a first new log event message associated with a first computer system event log; select a most active cluster family from the plurality of cluster families to compare with the first new event message, wherein the most active cluster family is a cluster family that receives event messages at a highest rate over a predetermined period of time compared to other cluster families); 
	However, Yang does not appears to specifically disclose compare the first new event message to each message cluster in the most active cluster family, in an order from an oldest-created message cluster to a youngest-created message cluster, until a match between the first new event message and a particular message cluster in the most active cluster family is identified; and upon identifying the match 
	In the same field of endeavor, Cohen discloses compare the first new event message to each message cluster in the most active cluster family, in an order from an oldest-created message cluster to a youngest-created message cluster, until a match between the first new event message and a particular message cluster in the most active cluster family is identified (Cohen discloses the generation of the dictionary applies a translation of text based event messages in respective logs into the dictionary of event types and relate to log analysis. Map each event e(t,msg) to one of the clusters, leading to the new representation of each event as (t, c;), as illustrated in FIG. 7b, which is described hereinafter. The set of message clusters forms the cluster dictionary 450 (i.e. dictionary of event types), with each cluster representing (and being represented by) a message event template text. To create the cluster dictionary 450, mapping the events to a typically much smaller set of message clusters. A first event is read from the log file and compared with existing clusters, using Equation 1, to see if the event matches the template in any existing cluster. This requires automatically discovering such event sequences from the massive logs, a prerequisite for which is that log events can be compared and matched. Each new event is compared to the template in each of the existing clusters in the order in which the clusters were created, and is assigned to the first cluster to which the similarity groups,   (see Cohen: Para. 0021-0035, 0038-0042, 0047-051 and FIG. 4-6). This reads on the claim concept of compare the first new event message to each message cluster in the most active cluster family, in an order from an oldest-created message cluster to a youngest-created message cluster, until a match between the first new event message and a particular message cluster in the most active cluster family is identified); and  
	upon identifying the match between the first new event message and the particular message cluster in the most active cluster family, assign the first new log event message to the particular message cluster in the most active cluster family (Cohen discloses a pointer to the text in a template database or the like) of a representative log event message, and a message count 603, indicating the number of times a log event message has been assigned to the cluster. If there exists a cluster to which the cosine distance is equal to or larger than the pre-defined threshold (e.g. 0.85), then the event is deemed to match the cluster and is assigned to that cluster, a record of the assignment is made in the cluster assignment record 440, which is associated with the log file.  0047-0058, 0060-0080 and FIG. 4-6). This reads on the claim concept of upon identifying the match between the first new event message and the particular message cluster in the most active cluster family, assign the first new log event message to the particular message cluster in the most active cluster family). 
	Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the clusters that overlap of Yang in order to have incorporated compared with existing clusters, as disclosed by Cohen, since both of these mechanisms are directed to clustering, a group of different data objects is classified as similar objects. One group means a cluster of data. Data sets are divided into different groups in the cluster analysis, which is based on the similarity of the data. After the classification of data into various groups, a label is assigned to the group. It helps in adapting to the changes by doing the classification. The key to interpreting a hierarchical cluster analysis is to look at the point at which any given pair of cards “join together” in the tree diagram. Cards that join together sooner are more similar to each other than those that join together later. Hierarchical cluster analysis forms clusters iteratively, by successively joining or splitting groups. There are two kinds: divisive, which starts with the entire data set in one large group and then successively splits it into smaller groups until each observation is its own group; and agglomerative, in which each observation starts in its own group, and groups are successively paired until at the end every 
	Regarding claim 9, (drawn method): claim 9 is method claims respectively that correspond to system of claim 1. Therefore, 9 is rejected for at least the same reasons as the system of 1. 
	Regarding independent claim(s) 14, Yang discloses a non-transitory computer-readable medium storing instructions that, when executed by a processor, cause the processor to: group a plurality of log event messages of a cluster dictionary into a plurality of cluster families of event messages, wherein  each cluster family of the plurality of cluster families includes message clusters that overlap each other to be grouped together as a single cluster family (Yang discloses the computer 810 can include or otherwise interact with a variety of computer-readable media to facilitate control of the computer. A diagnostic log can include numerous textual event messages pertaining to alerts, crash dumps, and exception tracing, for example, which describe the behavior of a computer system. Locating pertinent information to address a problem can be time consuming, because of the sheer quantity of messages comprising a diagnostic log.  Hierarchical clustering, also known as hierarchical cluster analysis, is an algorithm that groups similar objects into groups called clusters. The endpoint is a set of clusters, where each cluster is distinct from each other cluster, and the objects within each cluster are broadly similar to each other (wherein each cluster family includes a plurality of message clusters that overlap each other to be grouped together as a single cluster family). A set of strings can first be clustered/family based on string length and subsequently each string length cluster can be clustered based on edit distance between strings in the cluster. While edit-distance clustering can be executed on a single computer, it can also be distributed across a plurality of computers. A process running on a processor, a processor, an object, an instance, an executable, a thread of execution, a program, and/or a computer. Cluster analysis or clustering is the task of grouping a set of objects in such a way that objects in the same group (called a cluster) are more similar (in some sense) to each other than to those in other groups (clusters), (see Yang: Para. 0013-0022, 0028-0046 and 0054). This reads on the claim of concept a non-transitory computer-readable medium storing instructions that, when executed by a processor, cause the processor to: group a plurality of log event messages of a cluster dictionary into a plurality of cluster families of event messages, wherein each cluster family of the plurality of cluster families includes message clusters that overlap each other to be grouped together as a single cluster family);
receive a new log event message; select a most active cluster family from the plurality of cluster families to compare with the new event message, wherein the most active cluster family is a cluster family that receives the plurality of event messages at a highest rate over a predetermined period of time compared to other cluster families (Yang discloses the pre-process component 110 is configured to receive, retrieve, or otherwise obtain or acquire strings and perform a degree of processing thereon. The construction of new events or actions from a set of observed events and/or stored event data. Cluster system 100 is illustrated. The cluster system receives a set of strings as input and outputs a plurality of string clusters. K-means clustering aims to partition "n" strings into "k" clusters where each string belongs to the cluster with the nearest mean. String length clusters can be divided into separate clusters or sub-clusters as a function of an edit-distance for each pair of strings. Strings are assigned to a clusters based on similarity as determined based on a comparison of string lengths, (see Yang: Para. 0013-0020, 022-0028, 0030-0045 and 0048). This reads on the claim concept of receive a new log event message; select a most active cluster family from the plurality of cluster families to compare with the new event message, wherein the most active cluster family is a cluster family that receives the plurality of event messages at a highest rate over a predetermined period of time compared to other cluster families); 
	However, Yang does not appears to specifically disclose compare the new event message to each message cluster in the most active cluster family, in an order from an oldest-created message cluster to a youngest-created message cluster, until a match between the new event message and a particular message cluster in the most active cluster family is identified; and upon identifying the match between the new event message and the particular message cluster in the most active cluster family, assign the new event message to the particular message cluster in the most active cluster family. 
	In the same field of endeavor, Cohen discloses compare the new event message to each message cluster in the most active cluster family, in an order from an oldest-created message cluster to a youngest-created message cluster, until a match between the new event message and a particular message cluster in the most active cluster family is identified (Cohen discloses the generation of the dictionary applies a translation of text based event messages in respective logs into the dictionary of event types and relate to log analysis. Map each event e(t,msg) to one of the clusters, leading to the new representation of each event as (t, c;), as illustrated in FIG. 7b, which is described hereinafter. The set of message clusters forms the cluster dictionary 450 (i.e. dictionary of event types), with each cluster representing (and being represented by) a message event template text. To create the cluster dictionary 450, mapping the events to a typically much smaller set of message clusters. A first event is read from the log file and compared with existing clusters, using Equation 1, to see if the event matches the template in any existing cluster. This requires automatically discovering such event sequences from the massive logs, a prerequisite for which is that log events can be compared and matched. Each new event is compared to the template in each of the existing clusters in the order in which the clusters were created, and is assigned to the first cluster to which the similarity groups,   (see Cohen: Para. 0021-0035, 0038-0042, 0047-051 and FIG. 4-6). This reads on the claim concept of compare the first new event message to each message cluster in the most active cluster family, in an order from an oldest-created message cluster to a youngest-created message cluster, until a match between the first new event message and a particular message cluster in the most active cluster family is identified); and  
	upon identifying the match between the new event message and the particular message cluster in the most active cluster family, assign the new event message to the particular message cluster in the most active cluster family (Cohen discloses a pointer to the text in a template database or the like) of a representative log event message, and a message count 603, indicating the number of times a log event message has been assigned to the cluster. If there exists a cluster to which the cosine distance is equal to or larger than the pre-defined threshold (e.g. 0.85), then the event is deemed to match the cluster and is assigned to that cluster, a record of the assignment is made in the cluster assignment record 440, which is associated with the log file.  0047-0058, 0060-0080 and FIG. 4-6). This reads on the claim concept of upon identifying the match between the new event message and the particular message cluster in the most active cluster family, assign the new event message to the particular message cluster in the most active cluster family). 
	Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the clusters that overlap of Yang in order to have incorporated compared with existing clusters, as disclosed by Cohen, since both of these mechanisms are directed to clustering, a group of different data objects is classified as similar objects. One group means a cluster of data. Data sets are divided into different groups in the cluster analysis, which is based on the similarity of the data. After the classification of data into various groups, a label is assigned to the group. It helps in adapting to the changes by doing the classification. The key to interpreting a hierarchical cluster analysis is to look at the point at which any given pair of cards “join together” in the tree diagram. Cards that join together sooner are more similar to each other than those that join together later. Hierarchical cluster analysis forms clusters iteratively, by successively joining or splitting groups. There are two kinds: divisive, which starts with the entire data set in one large group and then successively splits it into smaller groups until each observation is its own group; and agglomerative, in which each observation starts in its own group, and groups are successively paired until at the end every observation is in the same large group. Divisive methods are computationally intensive and have had limited applications in the social sciences. Agglomerative methods have been implemented in many standard software packages. A cluster refers to a collection of data points aggregated together because of certain similarities. The k-means algorithm searches for a pre-determined number of clusters within an unlabeled multidimensional dataset. It accomplishes this using a simple conception of what the optimal clustering looks like. Each event source should register message files that contain description strings for each event identifier, event category, and parameter. You can create one message file that contains descriptions for the event identifiers, categories, and parameters, or create three separate message files. The message identifiers for all of your messages should be unique whether you specify the messages in one file or three files. Several applications can share the same message file. A cluster log is a record of service activity for a member of a server cluster. A cluster connects two or more servers together so that they appear as a single computer to clients. Server clusters can improve service by providing a single point of management and facilitating workload sharing. Clustering is the process of making a group of abstract objects into classes of similar objects. Incorporating the teachings of Cohen into Yang would produce event logs comprises receiving event messages associated with one or more system event logs, each event message including event text, determining a set of message clusters, each comprising a template text, representative of the event messages across the one or more event logs, and assigning each event message to a message cluster of the set, according to a measure of similarity between the respective event text of the event message and the template text of the message cluster, as disclosed by Cohen, (see Abstract). 
Claims 2-6, 8, 10-13 and 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Yang et al. (US 2014/0164376 A1, hereinafter Yang) in view of Cohen et al. (US 2011/0185234 A1, hereinafter Cohen) and in view of Kushmerick et al. (US 2015/0370885 A1, hereinafter Kushmerick).  
Regarding dependent claim(s) 2, the combination of Yang and Cohen discloses the system as in claim 1. However, the combination of Yang and Cohen do not appear to specifically disclose wherein the processor is to: in response to a determination that the first new event message does not match any message clusters of the most active cluster family, select a next most active cluster family from the plurality of cluster families to compare with the first new event message. 
In the same field of endeavor, Kushmerick discloses wherein the processor is to: in response to a determination that the first new event message does not match any message clusters of the most active cluster family, select a next most active cluster family from the plurality of cluster families to compare with the first new event message (Kushmerick discloses there are a number of reasons why event messages, particularly when accumulated and stored by the millions in event-log files (frequency) and fraction of the total number of event messages that are received and logged. A parsing function succeeds when the regular function on which it is based is matched to an entire event message or a portion of an event message. Cluster distributor-component 1434 of the event-message- clustering system 1410 assigns the first event message. The event message to be assigned to a particular existing cluster. Commands that direct the event-message-clustering system to merge two or more clusters into a single cluster, split a particular cluster into multiple clusters, add a new cluster, the new cluster defined by a feature vector, cluster identifier, and parsing function provided by the user, remove an existing cluster, and modify an existing cluster. Event messages may be relatively directly transmitted from a component within a discrete computer system to the administration computer or may be collected at various hierarchical levels within a discrete computer and then forwarded from an event message- collecting entity within the discrete computer to the administration computer. Multiple clusters/family of event records 1412-1422. Each cluster includes stored event records, such as the stored event records 1424 of cluster 1412, and a cluster identifier, such as cluster identifier 1426 of cluster. The event-message-clustering system 1410 processes each received event message to transform the received event message into an event record and determines to which cluster to assign the event record. A cluster that identifies any messages matching the component is defined such that a value for the component is allowed to differ across log messages in the cluster while sharing a same cluster identity. One or more log messages may be assigned to initial clusters at an ingest time (e.g., upon receiving the log message(s) from a source), and the log message(s) may be subsequently retrieved in response to a query to modify or supplement the initial clustering and generate statistics and/or presentations based on the clustering. Theses logs targets are associated with specific hosts and target may be a specific database application, which is associated with one to more logs and one or more hosts. Clustering is the task of dividing the data points into a number of groups/families such that data points in the same groups are more similar to other data points in the same group/families than those in other groups, (see Kushmerick: Para. 0059-0061, 0069-0077, 0083-0097 and 0124). This reads on the claim concept of wherein the processor is to: in response to a determination that the first new event message does not match any message clusters of the most active cluster family, select a next most active cluster family from the plurality of cluster families to compare with the first new event message). 
	Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the clusters that overlap and compared with existing clusters of Yang and Cohen in order to have incorporated incoming event messages/new even messages, as disclosed by Kushmerick, since both of these mechanisms are directed to If a line is appended to a log file that matches a pattern, the log file monitor takes a certain action. A clustering algorithm could identify many line patterns that reflect normal system activity and that can be immediately included in the system profile, since the user does not wish to analyze them further with the association rule algorithms. The cluster of outliers that is formed by the clustering algorithm contains infrequent lines that could represent previously unknown fault conditions, or other unexpected behavior of the system that deserves closer investigation. Data clustering algorithms provide the user a valuable insight into event logs, they have received little attention in the context of system and network management. One of the properties of log file data is that a majority of the words are very infrequent. . Hierarchical cluster analysis forms clusters iteratively, by successively joining or splitting groups. There are two kinds: divisive, which starts with the entire data set in one large group and then successively splits it into smaller groups until each observation is its own group; and agglomerative, in which each observation starts in its own group, and groups are successively paired until at the end every observation is in the same large group. Divisive methods are computationally intensive and have had limited applications in the social sciences. Agglomerative methods have been implemented in many standard software packages. A cluster refers to a collection of data points aggregated together because of certain similarities. The k-means algorithm searches for a pre-determined number of clusters within an unlabeled multidimensional dataset. It accomplishes this using a simple conception of what the optimal clustering looks like. Each event source should register message files that contain description strings for each event identifier, event category, and parameter. You can create one message file that contains descriptions for the event identifiers, categories, and parameters, or create three separate message files. The message identifiers for all of your messages should be unique whether you specify the messages in one file or three files. Several applications can share the same message file. A cluster log is a record of service activity for a member of a server cluster. Clustering is done based on a similarity measure to group similar data objects together. This similarity measure is most commonly and in most applications based on distance functions such as Euclidean distance, Manhattan distance, Minkowski distance, Cosine similarity, etc. to group objects in clusters. Incorporating the teachings of Kushmerick into Yang and Cohen would produce received event messages are assigned to event-message clusters based on non-parameter tokens identified within the event messages. A parsing function is generated for each cluster that is used to extract data from incoming event messages and to prepare event records from event messages that more efficiently and accessible store event information. The parsing functions also provide an alternative basis for assignment of event massages to clusters, as disclosed by Kushmerick, (see Abstract). 
	Regarding dependent claim(s) 3, the combination of Yang and Cohen discloses the system as in claim 1. However, the combination of Yang and Cohen do not appear to specifically disclose wherein the processor is to: in response to a determination that the first new event message does not match any message clusters of the plurality of cluster families, create a new message cluster based on the first new event message.
	In the same field of endeavor, Kushmerick discloses wherein the processor is to: in response to a determination that the first new event message does not match any message clusters of the plurality of cluster families, create a new message cluster based on the first new event message (Kushmerick discloses there are a number of reasons why event messages, particularly when accumulated and stored by the millions in event-log files (frequency) and fraction of the total number of event messages that are received and logged. A parsing function succeeds when the regular function on which it is based is matched to an entire event message or a portion of an event message. Cluster distributor-component 1434 of the event-message- clustering system 1410 assigns the first event message. A new cluster is created 1452 and the event message is added to the new cluster. A new cluster is created and the subsequently received event message becomes the first event message assigned to the new cluster. The event message to be assigned to a particular existing cluster. A cluster/multiple cluster that identifies any messages matching the component is defined such that a value for the component is allowed to differ across log messages in the cluster while sharing a same cluster identity. Parameter values are tokens or message fields that are likely to be highly variable over a set of messages of a particular type. Date/time stamps, for example, are nearly unique for each event message, with two event messages having an identical date/time stamp (ages) only in the case that the two event messages are generated within less than a second of one another. System administrators and other authorized users to view event logs, edit event logs, archive event logs, monitor incoming event records in real time, and to issue commands to the event-message-clustering system. These commands include, in certain implementations, commands that direct the event message- clustering system to merge two or more clusters into a single cluster, split a particular cluster into multiple clusters, add a new cluster, the new cluster defined by a feature vector, cluster identifier, and parsing function provided by the user, remove an existing cluster, and modify an existing cluster, (see Kushmerick: Para. 0073-0078, 0097 and 0118). This reads on the claim concept of wherein the processor is to: in response to a determination that the first new event message does not match any message clusters of the plurality of cluster families, create a new message cluster based on the first new event message). 
	Regarding dependent claim(s) 4, the combination of Yang and Cohen discloses the system as in claim 1. However, the combination of Yang and Cohen do not appear to specifically disclose wherein the system further comprises: a transient memory to store the plurality of cluster families of the cluster dictionary; a persistent memory to store additional cluster families of the cluster dictionary; and the processor to: in response to a determination that the first new event message does not match any message clusters of the plurality of cluster families in the transient memory, retrieve a subset of the additional cluster families from the persistent memory to compare with the first new event message; select an oldest-created cluster family from the subset of the additional cluster families; compare the first new event message to each message cluster in the oldest-created cluster family, in an order from an oldest-created message cluster to a youngest-created message cluster, until a match between the first new event message and a given message cluster in the oldest-created cluster family is identified; and upon identifying the match between the first new event message and the given message cluster in the oldest-created cluster family, assign the first new event message to the given message cluster.
	In the same field of endeavor, Kushmerick discloses wherein the system further comprises: a transient memory to store the plurality of cluster families of the cluster dictionary; a persistent memory to store additional cluster families of the cluster dictionary; and the processor to (Kushmerick discloses the computer system contains one or multiple central processing units {"CPUs") 102-105, one or more electronic memories 108 interconnected with the CPUs by a CPU/memory-subsystem bus 110 or multiple busses, a first bridge 112 that interconnects the CPU/memory-subsystem bus 110 with additional busses storage may be distributed over multiple computational nodes, (see Kusherick: Para. 004,0070-0078, 0107, 0129-0143, 0211-0214 and 0223). Mass storage refers to various techniques and devices for storing large amounts of data. Mass storage is distinct from memory, which refers to temporary storage areas within the computer. Unlike main memory, mass storage devices retain data even when the computer is turned off. Persistent storage is any data storage device that retains data after power to that device is shut off. Many different types of computer- system architectures that differ from one another in the number of different memories, including different types of hierarchical cache memories {mass-storage devices). The physical states of physical devices, including electronic memories and mass-storage devices. Clustering is the task of dividing/comparing the data points into a number of groups such that data points in the same groups are more similar to other data points in the same group/family than those in other groups/family. A Dictionary is the unordered and changeable collection of data values that holds key-value pairs. Each key-value pair in the dictionary maps the key to its associated value making it more optimized, which is list of parameter values/list of pointers and associated string lengths. Keys will be a single element and Values can be a list or list within a list and numbers. Accessible store event information and the parsing functions also provide an alternative basis for assignment of event massages to clusters. The event-message-clustering system initializes storage for clusters, the static-portion table, and the redirection-rule and in the next step the event-message clustering system waits for a next event to occur, (see Kushmerick: Para. 0044-0069, 0070-0078, 0080- 0096, 0099, 0124 and FIG. 24). This reads on the claim concept of wherein the system further comprises: a transient memory to store the plurality of cluster families of the cluster dictionary; a persistent memory to store additional cluster families of the cluster dictionary; and the processor to): 
	in response to a determination that the first new event message does not match any message clusters of the plurality of cluster families in the transient memory, retrieve a subset of the additional cluster families from the persistent memory to compare with the first new event message (Kushmerick discloses there are a number of reasons why event messages, particularly when accumulated and stored by the millions in event-log files (frequency) and fraction of the total number of event messages that are received and logged. A parsing function succeeds when the regular function on which it is based is matched to an entire event message or a portion of an event message. Cluster distributor-component 1434 of the event-message- clustering system 1410 assigns the first event message. The event message to be assigned to a particular existing cluster. Commands that direct the event-message-clustering system to merge two or more clusters into a single cluster, split a particular cluster into multiple clusters, add a new cluster, the new cluster defined by a feature vector, cluster identifier, and parsing function provided by the user, remove an existing cluster, and modify an existing cluster. Event messages may be relatively directly transmitted from a component within a discrete computer system to the administration computer or may be collected at various hierarchical levels within a discrete computer and then forwarded from an event message- collecting entity within the discrete computer to the administration computer. Multiple clusters/family of event records 1412-1422. Each cluster includes stored event records, such as the stored event records 1424 of cluster 1412, and a cluster identifier, such as cluster identifier 1426 of cluster. The event-message-clustering system 1410 processes each received event message to transform the received event message into an event record and determines to which cluster to assign the event record. A cluster that identifies any messages matching the component is defined such that a value for the component is allowed to differ across log messages in the cluster while sharing a same cluster identity. One or more log messages may be assigned to initial clusters at an ingest time (e.g., upon receiving the log message(s) from a source), and the log message(s) may be subsequently retrieved in response to a query to modify or supplement the initial clustering and generate statistics and/or presentations based on the clustering. Theses logs targets are associated with specific hosts and target may be a specific database application, which is associated with one to more logs and one or more hosts. Clustering is the task of dividing the data points into a number of groups/families such that data points in the same groups are more similar to other data points in the same group/families than those in other groups. It is only when encoded computer instructions are loaded into an electronic memory within a computer system and executed on a physical processor. Persistent memory is any method or apparatus for efficiently storing data structures such that they can continue to be accessed using memory instructions or memory APIs even after the end of the process that created or last modified them and transient memory is memory that temporarily holds data, (see Kushmerick: Para. 0044, 0059-0061, 0069-0077, 0083-0097 and 0124). This reads on the claim concept of in response to a determination that the first new event message does not match any message clusters of the plurality of cluster families in the transient memory, retrieve a subset of the additional cluster families from the persistent memory to compare with the first new event message);
	However, Kushmerick and Yang does not appears to specifically disclose select an oldest-created cluster family from the subset of the additional cluster families; compare the first new event message to each message cluster in the oldest-created cluster family, in an order from an oldest-created message cluster to a youngest-created message cluster, until a match between the first new event message and a given message cluster in the oldest-created cluster family is identified; and upon identifying the match between the first new event message and the given message cluster in the oldest-created cluster family, assign the first new event message to the given message cluster.
	In the same field of endeavor, Cohen discloses select an oldest-created cluster family from the subset of the additional cluster families; compare the first new event message to each message cluster in the oldest-created cluster family, in an order from an oldest-created message cluster to a youngest-created message cluster, until a match between the first new event message and a given message cluster in the oldest-created cluster family is identified (Cohen discloses the generation of the dictionary applies a translation of text based event messages in respective logs into the dictionary of event types and relate to log analysis. Map each event e(t,msg) to one of the clusters, leading to the new representation of each event as (t, c;), as illustrated in FIG. 7b, which is described hereinafter. The set of message clusters forms the cluster dictionary 450 (i.e. dictionary of event types), with each cluster representing (and being represented by) a message event template text. To create the cluster dictionary 450, mapping the events to a typically much smaller set of message clusters. A first event is read from the log file and compared with existing clusters, using Equation 1, to see if the event matches the template in any existing cluster. This requires automatically discovering such event sequences from the massive logs, a prerequisite for which is that log events can be compared and matched. Each new event is compared to the template in each of the existing clusters in the order in which the clusters were created, and is assigned to the first cluster to which the similarity groups,   (see Cohen: Para. 0021-0035, 0038-0042, 0047-051 and FIG. 4-6). select an oldest-created cluster family from the subset of the additional cluster families; compare the first new event message to each message cluster in the oldest-created cluster family, in an order from an oldest-created message cluster to a youngest-created message cluster, until a match between the first new event message and a given message cluster in the oldest-created cluster family is identified); and 
	upon identifying the match between the first new event message and the given message cluster in the oldest-created cluster family, assign the first new event message to the given message cluster (Cohen discloses a pointer to the text in a template database or the like) of a representative log event message, and a message count 603, indicating the number of times a log event message has been assigned to the cluster. If there exists a cluster to which the cosine distance is equal to or larger than the pre-defined threshold (e.g. 0.85), then the event is deemed to match the cluster and is assigned to that cluster, a record of the assignment is made in the cluster assignment record 440, which is associated with the log file.  0047-0058, 0060-0080 and FIG. 4-6). This reads on the claim concept of  upon identifying the match between the first new event message and the given message cluster in the oldest-created cluster family, assign the first new event message to the given message cluster).  
	Regarding dependent claim(s) 5, the combination of Yang, Cohen and Kushmerick discloses the system as in claim 4. However, the combination of Yang and Cohen do not appear to specifically disclose wherein the processor is to: receive a second new event message associated with a second computer system event log; compare the second new event message to each message cluster of the plurality of cluster families stored in the transient memory; in response to the second new event message not being assigned to any message clusters of the plurality of cluster families stored in the transient memory, select the subset of the cluster families from the persistent memory; compare the second new event message to each message cluster of the subset of the additional cluster families to provide a comparison result; and determine an assignment for the second new event message based on the comparison result. 
	In the same field of endeavor, Kushmerick discloses wherein the processor is to: receive a second new event message associated with a second computer system event log (Kushmerick discloses the event-message-clustering system 1410 processes each received event message to transform the received event message into an event record and determines to which cluster to assign the event record. The clusters represent a typing scheme for event messages. A parsing function is generated for each cluster that is used to extract data from incoming event messages and to prepare event records from event messages that more efficiently and accessible store event information and an event-message-clustering system. Type the event messages by assigning each event record corresponding to an event message to a particular cluster. Subsequently received event messages are similarly processed. Either a subsequently received event message is assigned to an existing cluster or new cluster. The different tenant-associated virtual-data centers within a multi-tenant virtual data center for four different tenants 916-919. Each multi-tenant virtual data center is managed by a cloud director comprising one or more cloud director servers and associated cloud-director databases, (see Kushmerick: Para.0063, 0073-0087). This reads on the claim concept of wherein the processor is to: receive a second new event message associated with a second computer system event log); 
	compare the second new event message to each message cluster of the plurality of cluster families stored in the transient memory (Kushmerick discloses Kushmerick discloses the common substrings 3112 and 3114 are compared to the third event message 3116. As a result of this comparison, two new common substrings 3118 and 3120 are produced. This process continues with consideration of subsequent event messages to produce common substrings 3122 and 3123 which, should the remaining event messages in the cluster follow the same pattern followed by the initial five event messages in the cluster, represent the common or static portions of all of the event messages within the cluster. These two common substrings 3122-3123 can then be used to create an initial regular expression 3124 as the basis for a parsing function for the event messages of the cluster. This set of split redirection rules can be modified by creating a comprehensive split rule 2640 to directly split cluster into the six clusters. A cluster that identifies any messages matching the component is defined such that a value for the component is allowed to differ across log messages in the cluster while sharing a same cluster identity, (see Kushmerick: Para. 0070-0096 and 0992-0114). This set of split redirection rules can be modified by creating a comprehensive split rule 2640 to directly split cluster into the six clusters. A cluster that identifies any messages matching the component is defined such that a value for the component is allowed to differ across log messages in the cluster while sharing a same cluster identity. Clustering is the task of dividing the data points into a number of groups/family such that data points in the same groups/family are more similar to other data points in the same group than those in other groups/family. The second event message mis assigned as the metric associated with the new, second cluster 1456. Subsequently received event messages are similarly processed. Transient memory is memory that temporarily holds data (see Kushmerick: Para. 0043-0050, 0072-0096 and 0100-0128). This reads on the claim concept of compare the second new event message to each message cluster of the plurality of cluster families stored in the transient memory); 
	in response to the second new event message not being assigned to any message clusters of the plurality of cluster families stored in the transient memory, select the subset of the cluster families from the persistent memory; compare the second new event message to each message cluster of the subset of the additional cluster families to provide a comparison result; and determine an assignment for the second new event message based on the comparison result (Kushmerick discloses a cluster that identifies any messages matching the component is defined such that a value for the component is allowed to differ across log messages in the cluster while sharing a same cluster identity. Clustering is the task of dividing/comparing the data points into a number of groups such that data points in the same groups are more similar to other data points in the same group than those in other groups. An event message is assigned to that cluster for which the distance between the event message and the first event message assigned to the cluster. Multiple clusters of event records 1412-1422. Each cluster includes stored event records, such as the stored event records 1424 of cluster 1412, and a cluster identifier, such as cluster identifier 1426 of cluster 1412. The event-message-clustering system 1410 processes each received event message to transform the received event message into an event record and determines to which cluster to assign the event record. Event message is assigned to that cluster for which the distance between the event message, (see Kushmerick: Para. 0043-0050, 0070-0096 and 0992-0114). Persistent memory is any method or apparatus for efficiently storing data structures such that they can continue to be accessed using memory instructions or memory APIs even after the end of the process that created or last modified them. The common substrings 3112 and 3114 are compared to the third event message to the event messages of the cluster. The event-message clustering system 1410 processes each received event message to transform the received event message into an event record and determines to which cluster to assign the event record. The clusters represent a typing scheme for event messages. A result of this comparison, two new common substrings 3118 and 3120 are produced, (see Kushmerick: Para. 0070-0096 and 0114). This reads on the claim concept of in response to the second new event message not being assigned to any message clusters of the plurality of cluster families stored in the transient memory, select the subset of the cluster families from the persistent memory; compare the second new event message to each message cluster of the subset of the additional cluster families to provide a comparison result; and determine an assignment for the second new event message based on the comparison result). 
	Regarding dependent claim(s) 6, the combination of Yang, Cohen and Kushmerick discloses the system as in claim 5. However, the combination of Yang and Cohen do not appear to specifically disclose wherein the processor is to create a new message cluster in the persistent memory based on the comparison result. 
	In the same field of endeavor, Kushmerick discloses wherein the processor is to create a new message cluster in the persistent memory based on the comparison result (Kushmerick discloses the split function included in the split request to return indexes for the newly created lusters based on the computers, but may also include a plethora of various types of special-purpose computing devices, including data-storage systems, communications routers, network nodes, tablet computers, and mobile telephones, (see Kushmerick: Para. 0044-0072 and 0075-0099). Mass storage refers to various techniques and devices for storing large amounts of data. Mass storage is distinct from memory, which refers to temporary storage areas within the computer. Unlike main memory, mass storage devices retain data even when the computer is turned off. Persistent storage is any data storage device that retains data after power to that device is shut off. Many different types of computer- system architectures that differ from one another in the number of different memories, including different types of hierarchical cache memories {mass-storage devices). The physical states of physical devices, including electronic memories and mass-storage devices. Clustering is the task of dividing/comparing the data points into a number of groups such that data points in the same groups are more similar to other data points in the same group/family than those in other groups/family.
A Dictionary is the unordered and changeable collection of data values that holds key-value pairs.
Each key-value pair in the dictionary maps the key to its associated value making it more optimized, which is list of parameter values/list of pointers and associated string lengths. Keys will be a single element and Values can be a list or list within a list and numbers. Accessible store event information and the parsing functions also provide an alternative basis for assignment of event massages to clusters. The event-message-clustering system initializes storage for clusters, the static-portion table, and the redirection-rule and in the next step the event-message clustering system waits for a next event to occur. A result of this comparison, two new common substrings 3118 and 3120 are produced, (see Kushmerick: Para. 0044-0069, 0070-0078, 0080-0096, 0099, 0124 and FIG. 24). This reads on the claim concept of wherein the processor is to create a new message cluster in the persistent memory based on the comparison result). 
	Regarding dependent claim(s) 8, the combination of Yang and Cohen discloses the system as in claim 1. However, the combination of Yang and Cohen do not appear to specifically disclose wherein the most active cluster family includes a first message cluster and a second message cluster, and the processor is to: compare the first message cluster to the second message cluster to provide a comparison result; and merge the first message cluster and the second message cluster into a single combined message cluster based upon the comparison result. 
	In the same field of endeavor, Kushmerick discloses wherein the most active cluster family includes a first message cluster and a second message cluster, and the processor is to: compare the first message cluster to the second message cluster to provide a comparison result (Kushmerick discloses the computer system contains one or multiple central processing units {"CPUs") 102-105, one or more electronic memories 108 interconnected with the CPUs by a CPU/memory-subsystem bus 110 or multiple busses. The first event message and a second message, analyze by the cluster/multiple cluster distributors by computed metric to the metric assigned to the first cluster/second cluster. The computed feature vector v r is compared with all of the feature vectors for the n clusters to determine a cluster i associated with feature vector v, for which the distanced computed for v rand v, is minimal. Clusters are created dynamically as event messages are received and processed. There are a number of reasons why event messages, particularly when accumulated and stored by the millions in event-log files (frequency) and fraction of the total number of event messages that are received and logged.
Commands that direct the event-message-clustering system to merge two or more clusters into a single cluster, split a particular cluster into multiple clusters, add a new cluster, the new cluster defined by a feature vector, cluster identifier, and parsing function provided by the user, remove an existing cluster, and modify an existing cluster. Event messages may be relatively directly transmitted from a component within a discrete computer system to the administration computer or may be collected at various hierarchical levels within a discrete computer and then forwarded from an event message- collecting entity within the discrete computer to the administration computer. Multiple clusters/family of event records 1412-1422. Each cluster includes stored event records, such as the stored event records 1424 of cluster 1412, and a cluster identifier, such as cluster identifier 1426 of cluster. The event-message-clustering system 1410 processes each received event message to transform the received event message into an event record and determines to which cluster to assign the event record. A cluster that identifies any messages matching the component is defined such that a value for the component is allowed to differ across log messages in the cluster while sharing a same cluster identity, (see, Kushmerick: Para. 0044, 0073-0090). This reads on the claim concept of wherein the most active cluster family includes a first message cluster and a second message cluster, and the processor is to: compare the first message cluster to the second message cluster to provide a comparison result); and 
	merge the first message cluster and the second message cluster into a single combined message cluster based upon the comparison result (the event-message-clustering system to merge two or more clusters into a single cluster, split a particular cluster into multiple clusters. The parsing function for a cluster may be generated by downstream analytic subsystems and furnished by these downstream subsystems to a clustering subsystem. Similarly, these downstream analytic subsystems may provide indications to the clustering subsystem for when to apply split and merge operations to clusters. Analysis by this routine indicates that the two clusters should be merged, the routine generates a merge event for subsequent handling by the previously discussed merge function. Merge clusters option allows you to merge two clusters into a single cluster, and then recalculate and draw the new cluster boundaries. If the two clusters are not adjacent, the boundaries will not be merged, but the clusters will appear the same (i.e., similarity) on database, will be assigned the same cluster number, and will be treated together in cluster statistics. These may be indications of clusters that should be merged into a single cluster. Advantage of event-record logs in comparison to event-message logs is that the event-record logs are fully and uniformly structured, which additionally facilitates downstream automated analysis and interpretation, which is cluster based upon the second comparison result, (see Kushmerick: Para. 0088, 0097, 0114-0116 and 0123-0129). This reads on the claim concept of merge the first message cluster and the second message cluster into a single combined message cluster based upon the comparison result).  
	Regarding dependent claim(s) 11, the combination of Yang, Cohen and Kushmerick discloses the method as in claim 10. However, the combination of Yang and Kushmerick do not appear to specifically disclose further comprising: comparing the new event message to each message cluster in the next most active cluster family, in an order from an oldest-created message cluster to a youngest-created message cluster in the next most active cluster family, until a match between the new event message and a given message cluster in the next most active cluster family is identified.
	In the same field of endeavor, Cohen discloses further comprising: comparing the new event message to each message cluster in the next most active cluster family, in an order from an oldest-created message cluster to a youngest-created message cluster in the next most active cluster family, until a match between the new event message and a given message cluster in the next most active cluster family is identified (Cohen discloses the generation of the dictionary applies a translation of text based event messages in respective logs into the dictionary of event types and relate to log analysis. Map each event e(t,msg) to one of the clusters, leading to the new representation of each event as (t, c;), as illustrated in FIG. 7b, which is described hereinafter. The set of message clusters forms the cluster dictionary 450 (i.e. dictionary of event types), with each cluster representing (and being represented by) a message event template text. To create the cluster dictionary 450, mapping the events to a typically much smaller set of message clusters. A first event is read from the log file and compared with existing clusters, using Equation 1, to see if the event matches the template in any existing cluster. This requires automatically discovering such event sequences from the massive logs, a prerequisite for which is that log events can be compared and matched. Each new event is compared to the template in each of the existing clusters in the order in which the clusters were created, and is assigned to the first cluster to which the similarity groups, (see Cohen: Para. 0021-0035, 0038-0042, 0047-051 and FIG. 4-6). This reads on the claim concept of comparing the new event message to each message cluster in the next most active cluster family, in an order from an oldest-created message cluster to a youngest-created message cluster in the next most active cluster family, until a match between the new event message and a given message cluster in the next most active cluster family is identified). 
	Regarding dependent claim(s) 13, the combination of Yang and Cohen discloses the method as in claim 9. However, the combination of Yang and Cohen do not appear to specifically disclose further comprising: storing additional cluster families of event messages of the cluster dictionary in a persistent memory; and in response to a determination that the new event message does not match any message clusters of the plurality of cluster families in the transient memory, retrieving a subset of the additional cluster families from the persistent memory to compare with the new event message.
	In the same field of endeavor, Kushmerick discloses further comprising: storing additional cluster families of event messages of the cluster dictionary in a persistent memory; and in response to a determination that the new event message does not match any message clusters of the plurality of cluster families in the transient memory, retrieving a subset of the additional cluster families from the persistent memory to compare with the new event message (Kushmerick discloses there are a number of reasons why event messages, particularly when accumulated and stored by the millions in event-log files (frequency) and fraction of the total number of event messages that are received and logged. A parsing function succeeds when the regular function on which it is based is matched to an entire event message or a portion of an event message. Cluster distributor-component 1434 of the event-message- clustering system 1410 assigns the first event message. The event message to be assigned to a particular existing cluster. Commands that direct the event-message-clustering system to merge two or more clusters into a single cluster, split a particular cluster into multiple clusters, add a new cluster, the new cluster defined by a feature vector, cluster identifier, and parsing function provided by the user, remove an existing cluster, and modify an existing cluster. Event messages may be relatively directly transmitted from a component within a discrete computer system to the administration computer or may be collected at various hierarchical levels within a discrete computer and then forwarded from an event message- collecting entity within the discrete computer to the administration computer. Multiple clusters/family of event records 1412-1422. Each cluster includes stored event records, such as the stored event records 1424 of cluster 1412, and a cluster identifier, such as cluster identifier 1426 of cluster. The event-message-clustering system 1410 processes each received event message to transform the received event message into an event record and determines to which cluster to assign the event record. A cluster that identifies any messages matching the component is defined such that a value for the component is allowed to differ across log messages in the cluster while sharing a same cluster identity. One or more log messages may be assigned to initial clusters at an ingest time (e.g., upon receiving the log message(s) from a source), and the log message(s) may be subsequently retrieved in response to a query to modify or supplement the initial clustering and generate statistics and/or presentations based on the clustering. Theses logs targets are associated with specific hosts and target may be a specific database application, which is associated with one to more logs and one or more hosts. Clustering is the task of dividing the data points into a number of groups/families such that data points in the same groups are more similar to other data points in the same group/families than those in other groups. It is only when encoded computer instructions are loaded into an electronic memory within a computer system and executed on a physical processor. Persistent memory is any method or apparatus for efficiently storing data structures such that they can continue to be accessed using memory instructions or memory APIs even after the end of the process that created or last modified them and transient memory is memory that temporarily holds data, (see Kushmerick: Para. 0044, 0059-0061, 0069-0077, 0083-0097 and 0124). This reads on the claim concept of storing additional cluster families of event messages of the cluster dictionary in a persistent memory; and in response to a determination that the new event message does not match any message clusters of the plurality of cluster families in the transient memory, retrieving a subset of the additional cluster families from the persistent memory to compare with the new event message).
	Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the clusters that overlap and compared with existing clusters of Yang and Cohen in order to have incorporated incoming event messages/new even messages, as disclosed by Kushmerick, since both of these mechanisms are directed to If a line is appended to a log file that matches a pattern, the log file monitor takes a certain action. A clustering algorithm could identify many line patterns that reflect normal system activity and that can be immediately included in the system profile, since the user does not wish to analyze them further with the association rule algorithms. The cluster of outliers that is formed by the clustering algorithm contains infrequent lines that could represent previously unknown fault conditions, or other unexpected behavior of the system that deserves closer investigation. Data clustering algorithms provide the user a valuable insight into event logs, they have received little attention in the context of system and network management. One of the properties of log file data is that a majority of the words are very infrequent. . Hierarchical cluster analysis forms clusters iteratively, by successively joining or splitting groups. There are two kinds: divisive, which starts with the entire data set in one large group and then successively splits it into smaller groups until each observation is its own group; and agglomerative, in which each observation starts in its own group, and groups are successively paired until at the end every observation is in the same large group. Divisive methods are computationally intensive and have had limited applications in the social sciences. Agglomerative methods have been implemented in many standard software packages. A cluster refers to a collection of data points aggregated together because of certain similarities. The k-means algorithm searches for a pre-determined number of clusters within an unlabeled multidimensional dataset. It accomplishes this using a simple conception of what the optimal clustering looks like. Each event source should register message files that contain description strings for each event identifier, event category, and parameter. You can create one message file that contains descriptions for the event identifiers, categories, and parameters, or create three separate message files. The message identifiers for all of your messages should be unique whether you specify the messages in one file or three files. Several applications can share the same message file. A cluster log is a record of service activity for a member of a server cluster. Clustering is done based on a similarity measure to group similar data objects together. This similarity measure is most commonly and in most applications based on distance functions such as Euclidean distance, Manhattan distance, Minkowski distance, Cosine similarity, etc. to group objects in clusters. Incorporating the teachings of Kushmerick into Yang and Cohen would produce received event messages are assigned to event-message clusters based on non-parameter tokens identified within the event messages. A parsing function is generated for each cluster that is used to extract data from incoming event messages and to prepare event records from event messages that more efficiently and accessible store event information. The parsing functions also provide an alternative basis for assignment of event massages to clusters, as disclosed by Kushmerick, (see Abstract). 
	Regarding claim 10, (drawn method): claim 10 is method claims respectively that correspond to system of claim 2. Therefore, 10 is rejected for at least the same reasons as the system of 2. 
	Regarding claim 12, (drawn method): claim 12 is method claims respectively that correspond to system of claim 3. Therefore, 12 is rejected for at least the same reasons as the system of 3.
	Regarding claim 15, (drawn computer-readable medium): claim 15 is computer-readable medium claims respectively that correspond to system of claim 2. Therefore, 15 is rejected for at least the same reasons as the system of 2. 
	Regarding claim 16, (drawn computer-readable medium): claim 16 is computer-readable medium claims respectively that correspond to system of claim 3. Therefore, 16 is rejected for at least the same reasons as the system of 3. 
	Regarding claim 17, (drawn computer-readable medium): claim 17 is computer-readable medium claims respectively that correspond to system of claim 4. Therefore, 17 is rejected for at least the same reasons as the system of 4. 
	Regarding claim 18, (drawn computer-readable medium): claim 18 is computer-readable medium claims respectively that correspond to system of claim 8. Therefore, 18 is rejected for at least the same reasons as the system of 8. 
	Regarding claim 19, (drawn method): claim 19 is method claims respectively that correspond to system of claim 8. Therefore, 19 is rejected for at least the same reasons as the system of 8. 
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Yang et al. (US 2014/0164376 A1, hereinafter Yang) in view of Cohen et al. (US 2011/0185234 A1, hereinafter Cohen), in view of Kushmerick et al. (US 2015/0370885 A1, hereinafter Kushmerick) and in view of Neels et al. (US 2016/0034525 A1, hereinafter Neels).
Regarding dependent claim(s) 7, the combination of Yang, Cohen and Kushmerick discloses the system as in claim 5. However, the combination of Yang, Cohen and Kushmerick do not appear to specifically disclose wherein the processor is to select the subset of the additional cluster families based on a result of a text search. 
In the same field of endeavor, Neels discloses wherein the processor is to select the subset of the additional cluster families based on a result of a text search (Neels discloses a search query is executed, the search query can produce a dataset or a search result that satisfies the search criteria for the search query and includes various strings of text and numbers interspersed with various punctuation marks and spaces. The search results cluster list 108 may include different and/or additional information. Determines if there are any additional clusters determined at block 206. If there are additional clusters, method 200 returns to block 206 and determines the search terms for each remaining cluster or each cluster as they are selected. The resulting set of tokens 304 is list or group of keywords that represent the content of the event and generate the search terms that would result in finding a meaningful group of data, the system performs preliminary grouping (clustering) of events from source data, and identifies a set of search terms for each group of events, (See Neels: Para. 0024-0038 and 0041-0075). This reads on the claim concept of wherein the processor is to select the subset of the additional cluster families based on a result of a text search). 
Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the clusters that overlap and compared with existing clusters of Yang, Cohen and Kushmerick in order to have incorporated text search for log events, as disclosed by Neels, since both of these mechanisms are directed to event Log Analyzer is a web-based, real-time, log monitoring and compliance management solution for Security Information and Event Management (SIEM) that improves internal network security and helps you to comply with the latest IT audit requirement. Using an agent-less architecture, Event Log Analyzer can collect, analyze, search, report, and archive an extensive array of machine generated logs received from Systems (Windows, Linux, UNIX ... ), Network Devices (routers, switches, etc ... ), Applications (Oracle, Apache, etc ... ) and then provides important insights into network user activities, policy violations, network anomalies, system downtime, and internal threats. Monitor user activities like user logons/logoffs, failed logons, and objects accessed and monitor network activities of servers, workstations, devices, and applications spread across geographies. Generate reports for top network events, user activities, and network event trends. Manage Engine Event Log Analyzer collects, analyzes, searches, reports, and archives on event logs from distributed Windows hosts; syslogs from Linux/UNIX hosts, Routers, Switches and other syslog devices; application logs from IIS Web/FTP Servers, Print Servers, MS SQL Server, Oracle Database Server, DHCP Windows/Linux Servers. Event Log Analyzer provides a powerful 'universal log search' engine for all types of machine generated logs. Universal log search is made possible with the help of 'field extraction' procedure, where you can define/extract new fields from your log data, in addition to the set of default fields that Event Log Analyzer automatically parses and indexes. The Event Log Analyzer collects, analyzes, searches, correlates, reports, and stores logs from a centralized platform. Clustering, a group of different data objects is classified as similar objects. One group means a cluster of data. Data sets are divided into different groups in the cluster analysis, which is based on the similarity of the data. After the classification of data into various groups, a label is assigned to the group. It helps in adapting to the changes by doing the classification. The key to interpreting a hierarchical cluster analysis is to look at the point at which any given pair of cards “join together” in the tree diagram. Cards that join together sooner are more similar to each other than those that join together later. Hierarchical cluster analysis forms clusters iteratively, by successively joining or splitting groups. Incorporating the teachings of Neels into Yang, Cohen and Kushmerick would produce a processing device performs a preliminary grouping of data items in a dataset to define one or more clusters and for each cluster, identifies a set of search terms for a search query that would retrieve data items in the cluster upon execution of the search query against the dataset, as disclosed by Neels, (see Abstract). 
                                                                   Examiner's Notes
Examiner cites particular columns and line numbers in the references as applied to the claims above for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in its entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner and the additional related prior arts made of record that are considered pertinent to applicant's disclosure to further show the general state of the art. 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOHANES Demiss KELEMEWORK whose telephone number is (571)272-8772.  The examiner can normally be reached on Monday-Friday 8:00 am-5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashish Thomas can be reached on 571-272-0631.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/YOHANES D KELEMEWORK/Examiner, Art Unit 2164       

/ASHISH THOMAS/Supervisory Patent Examiner, Art Unit 2164