DETAILED ACTION

Claims 1-30 are pending in the application and claims 1-30 are rejected.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claim 1-30 rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) 1, 24, and 28 recite(s) a method of determining anomalies. The limitations that recite using tokens and values and comparing them with patterns to determine anomalies covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting the use of generic computer components such as a processor, nothing in the claim element precludes the step from practically being performed in the mind. Under its broadest reasonable interpretation, the limitations covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. 
i.e., as a generic processor performing a generic computer function of such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. 
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claim is not patent eligible.

	Dependent claims are rejected for depending off independent claims and for reciting the same mental process.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-30 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. Independent claims along with many of the dependent claims refer to a number of tokens and a number of values for tokens without describing with sufficient detail what the tokens are and how they are related to a number of values making the claims unclear as to what exactly a token is and how it functions. Claims 2-4 recite extracting the first and second tokens from second third and fourth raw data but it is unclear whether or not that it the same exact tokens as extracted by in the raw data, it seems that they should not be exactly the same tokens but the claims’ usage of the term “the” describes the all the tokens being exactly the same regardless of which raw data it is being extracted from. 

The rest of the dependent claims are rejected for depending off the independent claims.

Claim Objections
	Claim 2 recites “from second raw machine data” without sufficient antecedent basis. Appropriate corrections should be made.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claim(s) 1, 5-8, 11, 12, 24, 26, 28 are/is rejected under 35 U.S.C. 103 as being unpatentable over Furbish US10496817 in view of Muddu et al. US2017/0063896
Regarding claim 1, Furbish teaches: determining that a first value of a first token in the one or more tokens is anomalous in response to the comparison, wherein the first value of the first token is determined to be anomalous (Furbish see col. 3 lines 11-29 col. 4 lines 32-46 identify anomalous value in account data by comparing account data with a baseline and if value exceed threshold for baseline it is determined to be an anomaly. Account data reads on value of token and baseline reads on data pattern)
determining that a second value of a second token in the one or more tokens corresponds to a range of values; and (Furbish see col. 5 lines 34-58 col. 14 lines 47-63 account data includes a number of different potential category of values each of which reads on a token, for example $50,000-$100,000 in annual revenue)
indicating that there is a correlation between the second token having the second value and the first token having an anomalous value (Furbish see col. 11 lines 55-67 col. 12 lines 1-28 subset of values in first data values compared to subset of same kind of second data values to be compared and using a mean or standard deviation or distance calculations to determine anomaly. Using standard deviation or mean or distance calculations reads on correlation and each kind of account data reads on a token)
Furbish does not distinctly disclose: extracting one or more tokens from raw machine data, the raw machine data generated by one or more components in an information technology environment;
comparing the extracted one or more tokens to a first set of data patterns; 
determined to be anomalous prior to the raw machine data being indexed and stored in a data intake and query system
causing display of information indicating having an anomalous value
However, Muddu teaches: extracting one or more tokens from raw machine data, the raw machine data generated by one or more components in an information technology environment; (Muddu see paragraph 0135 0190 0194 extracting tokens from event data from raw machine data in information technology environment)
determined to be anomalous prior to the raw machine data being indexed and stored in a data intake and query system (Muddu see paragraph 0172 0174 0195 0659 0660 outgoing traffic log of devices to be processed prior to being input into the system determining if an anomaly exists, determination is made then data is stored and queried using index)
causing display of information indicating having an anomalous value (Muddu see paragraph 0539 see fig. 56 comparison yielding anomalies shown in diagram)
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include extracting tokens from raw machine data as taught by Muddu for the predictable result of more efficiently processing data and determining anomalies.
	
Regarding claim 5, Furbish as modified further teaches: wherein determining that a second value of a second token in the one or more tokens corresponds to a range of values further comprising determining that the second value of the second token matches a specific value.  (Furbish see col. 7 lines 3-40 col. 9 lines 39-60 for any given parameter a range is given and when determining an anomaly for example an employee works 4 hours a week as opposed to 40)

Regarding claim 6, Furbish as modified further teaches: determining that a third value of a third token in the one or more tokens corresponds to a second range of values; and (Furbish see col. 7 lines 3-40 col. 9 lines 39-60 for any given parameter a range is given, this reads on any number of values for any number of tokens)
indicating that there is a correlation between the second token having the second value, the third token having the third value, and the first token having an anomalous value. (Furbish see col. 11 lines 55-67 col. 12 lines 1-28 subset of values in first data values compared to subset of same kind of second data values to be compared and using a mean or standard deviation or distance calculations to determine anomaly. Using standard deviation or mean or distance calculations reads on correlation and each kind of account data reads on a token)
causing display of information indicating having an anomalous value (Muddu see paragraph 0539 see fig. 56 comparison yielding anomalies shown in diagram)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include extracting tokens from raw machine data as taught by Muddu for the predictable result of more efficiently processing data and determining anomalies.

Regarding claim 7, Furbish as modified further teaches: wherein the information indicates that the first value of the first token is anomalous.  (Furbish see col. 11 lines 55-67 col. 12 lines 1-28 subset of values in first data values compared to subset of same kind of second data values to be compared and using a mean or standard deviation or distance calculations to determine anomaly)

Regarding claim 8, Furbish as modified further teaches: wherein the information comprises at least one of a notification, a table, a graph, a chart, or an annotated version of the raw machine data.  (Muddu see paragraph 0539 figure 56 shows a chart)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include extracting tokens from raw machine data as taught by Muddu for the predictable result of more efficiently processing data and determining anomalies.

Regarding claim 11, Furbish as modified further teaches: wherein a stream of raw machine data is ingested into the data intake and query system in sequence, wherein the stream of raw machine data comprises the raw machine data ng that a first value of a first token in the one or more tokens is anomalous further comprises determining that the first value of the first token in the one or more tokens is anomalous prior to any of the other raw (Muddu see paragraph 0154 action taken to validate conclusion of anomaly determination to be used as feedback for subsequent data)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include extracting tokens from raw machine data as taught by Muddu for the predictable result of more efficiently processing data and determining anomalies.

Regarding claim 12, Furbish as modified further teaches: wherein a stream of raw machine data is ingested into the data intake and query system in sequence, wherein the stream of raw machine data comprises the raw machine data other raw machine data that follows the raw machine data in time, and wherein the method further comprises determining in sequence, for each of the other raw machine data, whether the respective other raw machine data is anomalous as the respective other raw machine data is ingested into the data intake and query system and subsequent to determining that the first value of the first token in the one or more tokens is anomalous.  (Muddu see paragraph 0152 0154 batch processing of data determining anomlous activity done on pre-defined schedule, action taken to validate conclusion of anomaly determination to be used as feedback for subsequent data)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include extracting tokens from raw machine data as taught by Muddu for the predictable result of more efficiently processing data and determining anomalies.

Regarding claims 24, 26, and 28, note the rejection of claim(s) 1 and 8. The instant claims recite substantially same limitations as the above-rejected claims and are therefore rejected under same prior-art teachings.

Claim(s) 2-4, 23, 25, 27, 29, and 30 are/is rejected under 35 U.S.C. 103 as being unpatentable over Furbish US10496817 in view of Muddu et al. US2017/0063896 in view of Kurien et al. US2020/0183711
	Regarding claim 4, Furbish as modified further teaches: extracting the first token and the second token
comparing the first token and the second token to the first set of data patterns; 
determining that a value is anomalous in response to the comparison; and (Furbish see col. 11 lines 55-67 col. 12 lines 1-28 subset of values in first data values compared to subset of same kind of second data values to be compared to determine anomalies which reads on any number of tokens)
a value of the token is a minimum value in the range of values. (Furbish see col. 4 lines 32-46 col. 8 lines 31-40 anomalous value that deviates by minimum threshold from baseline, range of $500,000-$750,000 where $500,000 reads on minimum)
extracting the first token and the second token
comparing the first token and the second token to the first set of data patterns; 
determining that a value is anomalous in response to the comparison; and (Furbish see col. 11 lines 55-67 col. 12 lines 1-28 subset of values in first data values compared to subset of same kind of second data values to be compared to determine anomalies which reads on any number of tokens)
wherein the value is a maximum value in the range of values.  (Furbish see col. 8 lines 31-40 range of $500,000-$750,000 where $750,000 reads on minimum)
extracting the first token and the second token
comparing the first token and the second token to the first set of data patterns; 
determining that a value is not anomalous in response to the comparison; (Furbish see col. 11 lines 55-67 col. 12 lines 1-28 subset of values in first data values compared to subset of same kind of second data values to be compared to determine anomalies which reads on any number of tokens. Identifying anomalies also means that tokens not identified to be anomalies are therefore not anomalies)
data does not fall within the range of values; and 
determining that the range of values correlates to values of the first token being anomalous (Furbish see col. 7 lines 3-40 col. 9 lines 39-60 for any given parameter a range is given and when determining an anomaly for example an employee works 4 hours a week as opposed to 40)
from second raw machine data, the second raw machine data generated by the one or more components in the information technology environment prior to generation of the raw machine data; (Muddu see paragraph 0135 0147 0152 0153 0190 0341 extracting tokens from raw machine data events from historical data in IT environment where historical data reads on prior to generation of machine data)
(Muddu see paragraph 0135 0147 0152 0153 0161 0190 0341 extracting tokens from raw machine data events from historical data in IT environment where historical data reads on prior to generation of machine data, historical event data from prior analysis or from other prior analyzers which reads on any number of raw data)
from fourth raw machine data, the fourth raw machine data generated by the one or more components in the information technology environment prior to generation of the raw machine data; 
(Muddu see paragraph 0135 0147 0152 0153 0161 0190 0341 extracting tokens from raw machine data events from historical data in IT environment where historical data reads on prior to generation of machine data, historical event data from prior analysis or from other prior analyzers which reads on any number of raw data)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include extracting tokens from raw machine data as taught by Muddu for the predictable result of more efficiently processing data and determining anomalies.
	Furbish does not teach: determining that a third value of the first token
storing a fourth value of the second token wherein the fourth value
determining that a fifth value of the first token
storing a sixth value of the second token
determining that a seventh value of the first token
determining that an eighth value of the second token
Kurien teaches: determining that a third value of the first token
storing a fourth value of the second token wherein the fourth value
determining that a fifth value of the first token
storing a sixth value of the second token
determining that a seventh value of the first token
determining that an eighth value of the second token (Kurien see paragraph 0007 a plurality of data entries and for each data entry a plurality of values where data entry reads on token and combined with Furbish and Muddu references reads on any number of tokens each having any number of values)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include a plurality of values for a plurality of data categories as taught by Kurien for the predictable result of more efficiently processing data

Regarding claim 23, Furbish as modified further teaches: comparing the extracted one or more second tokens to the first set of data patterns; 
comparing the extracted one or more second tokens to the first set of data patterns; 
determining that value of a third token in the one or more second tokens is anomalous in response to the comparison; (Furbish see col. 11 lines 55-67 col. 12 lines 1-28 subset of values in first data values compared to subset of same kind of second data values to be compared and using a mean or standard deviation or distance calculations to determine anomaly where subset of values reads on any number of tokens)
(Furbish see col. 11 lines 55-67 col. 12 lines 1-28 subset of values in first data values compared to subset of same kind of second data values to be compared such as number of invoices last week and cash balance where the specific values of these categories do not mention any correlations reads on determining no token is correlated)
extracting a fourth token from the second raw machine data; determining that there is a correlation between the fourth token and the third token; and 
indicating that there is a correlation between the fourth token having the value and the third token having an anomalous value.(Furbish see col. 11 lines 55-67 col. 12 lines 1-28 subset of values in first data values compared to subset of same kind of second data values to be compared and using a mean or standard deviation or distance calculations to determine anomaly. Using statistical comparisons reads on correlation)
extracting one or more second tokens from second raw machine data; (Muddu see paragraph 0135 0190 0194 extracting tokens from event data from raw machine data in information technology environment)
causing display of information indicating an anomalous value (Muddu see paragraph 0539 see fig. 56 comparison yielding anomalies shown in diagram)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include extracting tokens from raw machine data as taught by Muddu for the predictable result of more efficiently processing data and determining anomalies.
Furbish does not teach: a third value for a third token

	However, Kurien teaches: a third value for a third token
The fourth token having the fourth value (Kurien see paragraph 0007 a plurality of data entries and for each data entry a plurality of values where data entry reads on token and combined with Furbish and Muddu references reads on any number of tokens each having any number of values)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include a plurality of values for a plurality of data categories as taught by Kurien for the predictable result of more efficiently processing data

Regarding claims 2, 3, 25, 27, 29, 30, note the rejection of claim(s) 4 and 23. The instant claims recite substantially same limitations as the above-rejected claims and are therefore rejected under same prior-art teachings.

Claim(s) 9 are/is rejected under 35 U.S.C. 103 as being unpatentable over Furbish US10496817 in view of Muddu et al. US2017/0063896 in view of Berdichevsky et al. 2016/0134694
	Regarding claim 9, Furbish as modified does not teach: wherein the first token comprises user device usage, and wherein the second token comprises a user device model
Berdichevsky teaches: wherein the first token comprises user device usage, and wherein the second token comprises a user device model. (Berdichevsky see paragraph 0033 0034 receiving data extracting elements such as device usage and device model)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include data device model and usage as taught by Berdichevsky for the predictable result of more efficiently processing data

Claim(s) 10 are/is rejected under 35 U.S.C. 103 as being unpatentable over Furbish US10496817 in view of Muddu et al. US2017/0063896 in view of Lajevardi et al. US2020/0064818
Regarding claim 10, Furbish as modified teaches: data intake and query system (Muddu see paragraph 0172 0174 data in SQL store to be retrieved via SQL)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include extracting tokens from raw machine data as taught by Muddu for the predictable result of more efficiently processing data and determining anomalies.
Furbish does not teach: wherein extracting one or more tokens from raw machine data further comprises extracting the one or more tokens from the raw machine data within a threshold time of the raw machine data being ingested into the system
	Lajevardi teaches: wherein extracting one or more tokens from raw machine data further comprises extracting the one or more tokens from the raw machine data within a (Lajevardi see paragraph 0044 data from temperature sensors to be extracted such that user extract data frames previously stored and a time period of the data to extract. Data from sensors reads on raw machine data, frames reads on tokens, time period reads on threshold time)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include time period threshold as taught by Lajevardi for the predictable result of more efficiently processing data

Claim(s) 13 and 14 are/is rejected under 35 U.S.C. 103 as being unpatentable over Furbish US10496817 in view of Muddu et al. US2017/0063896 in view of Marsh et al. US2020/0195656
	Regarding claim 13, Furbish as modified does not teach: wherein extracting one or more tokens further comprises generating a string vector using the one or more tokens
	Marsh teaches: wherein extracting one or more tokens further comprises 
generating a string vector using the one or more tokens (Marsh see paragraph 0043 token to store elements in string vector format such as <anchor attribute identifier, anchor attribute value, penalty value, penalty decay value>)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include a string vector as taught by Marsh for the predictable result of more efficiently organizing data.

Regarding claim 14, Furbish as modified does not teach: wherein extracting one or more tokens further comprises generating a string vector using the one or more tokens, and wherein each element of the string vector corresponds to one of the one or more tokens
	Marsh teaches: wherein extracting one or more tokens further comprises
generating a string vector using the one or more tokens, and wherein each element of the string vector corresponds to one of the one or more tokens.  (Marsh see paragraph 0043 token to store elements in string vector format such as <anchor attribute identifier, anchor attribute value, penalty value, penalty decay value>)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include a string vector as taught by Marsh for the predictable result of more efficiently organizing data.

Claim(s) 15-21 are/is rejected under 35 U.S.C. 103 as being unpatentable over Furbish US10496817 in view of Muddu et al. US2017/0063896 in view of Marsh et al. US2020/0195656
	Regarding claim 17, Furbish as modified further teaches: prior to the raw machine data being indexed and stored in the data intake and query system; (Muddu see paragraph 0135 0147 0152 0153 0190 0341 extracting tokens from raw machine data events from historical data historical data reads on prior to generation of machine data)
 a method of detecting anomalies as taught by Furbish to include extracting tokens from raw machine data as taught by Muddu for the predictable result of more efficiently processing data and determining anomalies.
	Furbish does not teach: assigning the one or more tokens to a new data pattern separate from the first set of data patterns based on a distance between the one or more tokens and each data pattern in the first set being greater than a minimum cluster distance, wherein the one or more tokens is assigned to the new data pattern
updating the minimum cluster distance based on a creation of the new data pattern; and 
determining that the first value of the first token is anomalous in response to an assignment of the one or more tokens to the new data pattern.
	Gupta teaches: assigning the one or more tokens to a new data pattern separate from the first set of data patterns based on a distance between the one or more tokens and each data pattern in the first set being greater than a minimum cluster distance, wherein the one or more tokens is assigned to the new data pattern (Gupta see paragraph 0051-0055 a current slice or current point to be scanned to determine distance between the current point a different clusters determining if nearest clusters are within threshold distance. Current slices or points reads on tokens, clusters represent patterns)
updating the minimum cluster distance based on a creation of the new data pattern; and 
(Gupta see paragraph 0054 0055 if distance is not within threshold then current point is determined to be an unknown anomaly and then generating a new cluster thereby updating clusters and distances)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include clustering as taught by Gupta for the predictable result of more efficiently processing data and determining anomalies.

Regarding claim 19, Furbish as modified further teaches: prior to the raw machine data being indexed and stored in the data intake and query system; (Muddu see paragraph 0135 0147 0152 0153 0190 0341 extracting tokens from raw machine data events from historical data historical data reads on prior to generation of machine data)
extracting one or more second tokens from second raw machine data, the second raw machine data generated by the one or more components in the information technology environment; (Muddu see paragraph 0135 0190 0194 extracting tokens from event data from raw machine data in information technology environment)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include extracting tokens from raw machine data as taught by Muddu for the predictable result of more efficiently processing data and determining anomalies.
Furbish does not teach: assigning the one or more tokens to a new data pattern separate from the first set of data patterns based on a distance between the one or more tokens and each data pattern in the first set being greater than a minimum cluster distance, wherein the one or more tokens is assigned to the new data pattern
updating the minimum cluster distance based on a creation of the new data pattern;
comparing the one or more second tokens to the first set of data patterns and the new data pattern; and 
assigning the one or more second tokens to a first data pattern in the first set of data patterns based on a distance between the one or more second tokens and the first data pattern being less than the updated minimum cluster distance
determining that the first data pattern does not completely describe the one or more second tokens; and 
updating the first data pattern to include a wildcard such that the updated first data pattern completely describes the one or more second tokens.
	Gupta teaches: assigning the one or more tokens to a new data pattern separate from the first set of data patterns based on a distance between the one or more tokens and each data pattern in the first set being greater than a minimum cluster distance, wherein the one or more tokens is assigned to the new data pattern (Gupta see paragraph 0051-0055 a current slice or current point to be scanned to determine distance between the current point a different clusters determining if nearest clusters are within threshold distance. Current slices or points reads on tokens, clusters represent patterns)
updating the minimum cluster distance based on a creation of the new data pattern;

assigning the one or more second tokens to a first data pattern in the first set of data patterns based on a distance between the one or more second tokens and the first data pattern being less than the updated minimum cluster distance (Gupta see paragraph 0054 0055 0060-0063 if distance is not within threshold then current point is determined to be an unknown anomaly and then generating a new cluster thereby updating clusters and distances as historical points of data for new points to be compared. This reads on any number of tokens and patterns)
determining that the first data pattern does not completely describe the one or more second tokens; and 
updating the first data pattern to include a wildcard such that the updated first data pattern completely describes the one or more second tokens. (Gupta see paragraph 0057 if current point is within threshold distance then current point is labelled part of the nearest cluster)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include clustering as taught by Gupta for the predictable result of more efficiently processing data and determining anomalies.

Regarding claim 21, Furbish as modified further teaches: determining a distribution of token values at the first position in tokens assigned to the first data pattern; 

determining that the second raw machine data corresponding to the second token from the second raw machine data is anomalous in response to the token value at the first position in the second token from the data falling below the percentile; (Furbish see col 7 lines 4-20 col. 12 lines 4-28 entities used for comparison group is based on top percentiles such as 5% or 20% and only entities with top percentiles are used as a comparison group to determine anomalies and using percentile based comparison to determine anomalies)
determining that a third value of the second token from the data corresponds to the range of values; and (Furbish see col. 7 lines 3-40 col. 9 lines 39-60 for any given parameter a range is given and when determining an anomaly for example an employee works 4 hours a week as opposed to 40. This reads on any number of values and tokens)
indicating that there is a correlation between the second token having the third value and the data being anomalous. (Furbish see col. 11 lines 55-67 col. 12 lines 1-28 subset of values in first data values compared to subset of same kind of second data values to be compared and using a mean or standard deviation or distance calculations to determine anomaly.)
prior to the raw machine data being indexed and stored in the data intake and query system; (Muddu see paragraph 0135 0147 0152 0153 0190 0341 extracting tokens from raw machine data events from historical data historical data reads on prior to generation of machine data)
extracting one or more second tokens from second raw machine data, the second raw machine data generated by the one or more components in the information technology environment; (Muddu see paragraph 0135 0190 0194 extracting tokens from event data from raw machine data in information technology environment)
causing display of second information indicating the second raw machine data being anomalous (Muddu see paragraph 0539 see fig. 56 comparison yielding anomalies shown in diagram)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include extracting tokens from raw machine data as taught by Muddu for the predictable result of more efficiently processing data and determining anomalies.
	Furbish does not teach: assigning the one or more tokens to a new data pattern separate from the first set of data patterns based on a distance between the one or more tokens and each data pattern in the first set being greater than a minimum cluster distance, wherein the one or more tokens is assigned to the new data pattern
updating the minimum cluster distance based on a creation of the new data pattern;
comparing the one or more second tokens to the first set of data patterns and the new data pattern; and 

wherein the first data pattern comprises a wildcard at a first position;
Gupta teaches: assigning the one or more tokens to a new data pattern separate from the first set of data patterns based on a distance between the one or more tokens and each data pattern in the first set being greater than a minimum cluster distance, wherein the one or more tokens is assigned to the new data pattern (Gupta see paragraph 0051-0055 a current slice or current point to be scanned to determine distance between the current point a different clusters determining if nearest clusters are within threshold distance. Current slices or points reads on tokens, clusters represent patterns)
updating the minimum cluster distance based on a creation of the new data pattern;
comparing the one or more second tokens to the first set of data patterns and the new data pattern; and 
assigning the one or more second tokens to a first data pattern in the first set of data patterns based on a distance between the one or more second tokens and the first data pattern being less than the updated minimum cluster distance. (Gupta see paragraph 0054 0055 0060-0063 if distance is not within threshold then current point is determined to be an unknown anomaly and then generating a new cluster thereby updating clusters and distances as historical points of data for new points to be compared. This reads on any number of tokens and patterns)
(Gupta see paragraph 0057 if current point is within threshold distance then current point is labelled part of the nearest cluster)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include clustering as taught by Gupta for the predictable result of more efficiently processing data and determining anomalies.

Regarding claims 15, 16,18, 20, note the rejection of claim(s) 17, 19, and 21. The instant claims recite substantially same limitations as the above-rejected claims and are therefore rejected under same prior-art teachings.


Claim(s) 22 are/is rejected under 35 U.S.C. 103 as being unpatentable over Furbish US10496817 in view of Muddu et al. US2017/0063896 in view of Liu et al. US2020/0004736
	Regarding claim 22, Furbish as modified teaches: raw machine (Muddu see paragraph 0194 raw machine data)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include extracting tokens from raw machine data as taught by Muddu for the predictable result of more efficiently processing data and determining anomalies.
Furbish does not teach: identifying one or more delimiters in the data; 
identifying the one or more tokens based on the identified one or more delimiters; and 
forming the one or more tokens using the one or more tokens.
	Liu teaches: identifying one or more delimiters in the data; 
identifying the one or more tokens based on the identified one or more delimiters; and 
forming the one or more tokens using the one or more tokens. (Liu see paragraph 0091 data objects to have tokens which can be a delimiter)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified a method of detecting anomalies as taught by Furbish to include delimiters as taught by Liu for the predictable result of more efficiently processing and organizing data.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALLEN S LIN whose telephone number is (571)270-0612.  The examiner can normally be reached on M-F 9-5.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alford Kindred can be reached on (571)272-4037.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ALLEN S LIN/Examiner, Art Unit 2153