DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a non-final, first Office action on the merits. 
Claims 1-20 is pending.

Information Disclosure Statement
Information disclosure statements (IDS) were submitted 3/5/2019, 7/24/2019, 4/14/2020, and 1/20/2021. The submissions are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Drawings
The Drawings filed on 14 January 2019 have been acknowledged. 

Specification
The specification, as originally filed, has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.


Claim Objections
Claims 4, 10-11, 18, and 20 are objected to because of the following informalities:  
Claims 4, 10, and 20 disclose “...same said…”. The examiner notes based on the claim construction, this language may create confusion within the claim. The examiner encourages applicant to review the impacted claims and make appropriate changes where necessary. Appropriate action is required.
Claim 11 recite “said message hash code”. The examiner suggests applicant confirm on the record which feature this element refers back to. Appropriate action is required.
Claim 18 discloses “…upon completion of said training…”. The examiner notes the preceding limitations of claim 18 does not recite limitations directed to training. Also, claim 1, to which claim 18 depends, only recites a “training message”. The examiner suggests applicant review and make appropriate changes where necessary. Appropriate action is required. 

Examiner Remarks
The examiner notes the claim set has not been thoroughly checked for all possible objections and/or rejections related to clarity and/or antecedent basis issues –similar to the issues identified above. The examiner notes applicant is encouraged to provide claim elements that are clearly discernible (throughout independent and corresponding dependent claims) and/or that are consistently referring back to preceding claimed elements. 

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-3, and 8-19 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by U.S. Patent Application Publication, US 20190370347, to Tomer Levy et al, hereinafter “Levy”.

Regarding claim 1, Levy teaches a method (Levy, ¶ [0057], teaches there are provided methods and systems for clustering a plurality of log messages received from one or more originating sources and relating to one or more computing platforms, infrastructures, services, applications, processes and/or the like) comprising: generating, based on a message sequence of tokens that were extracted from a training message, a message signature (Levy, ¶ [0057], teaches the clustering of the ; matching the message signature to a cluster signature that represents a plurality of messages of a cluster of a plurality of clusters that have distinct signatures (Levy, ¶ [0065-0066], teaches the associated log messages may be analyzed, for example, using one or more text comparison methods, techniques and/or algorithms for example, “gestalt pattern matching” (based on Ratcliff and Obershelp method), regex and/or the like adapted to find matching parts in two strings, or possibly in a list of any hash-able objects … Using these text comparison algorithms, matching constant part(s) may be identified in all training log messages associated with a respective cluster and defined as constant tokens in the representative string pattern of the respective cluster); adding the training message to the cluster (Levy, ¶ [0063], teaches in case the calculated string distance between the textual content of a respective training log message and the represented string pattern of one of the clusters is within (does not exceed) a predefined (distance) threshold, the respective training log message is associated (clustered) with the respective cluster. In case the calculated string distance between the textual content of a respective training log message and the represented string pattern of any of the clusters exceeds the predefined threshold, a new cluster is created in (added to) the clustering model for the respective training log message); extracting, based on a data type of the cluster signature, a data value from content of a second message (Levy, ¶ [0058], teaches one or more of the log messages may further include one or more additional elements, for example, a ; wherein the method is performed by one or more computers (Levy, ¶ [0093], teaches reference is also made to FIG. 2, which is a schematic illustration of an exemplary system for creating a clustering model used for clustering log messages, according to some embodiments of the present invention. An exemplary log messages analysis system, for example, a computer, a server, a computing node, a cluster of computing nodes and/or the like may include a network interface, a processor(s) for executing a process such as the process and a storage for storing code and/or data).  

Regarding claim 2, Levy teaches the claimed invention substantially as claimed, and Levy further teaches the cluster signature comprises a cluster sequence of tokens that includes a cluster token at a particular position in the cluster sequence (Levy, ¶ [0080], teaches clustering the log message to their respective clusters may significantly improve pattern detection of sequence of received log messages); a current token occurs at said particular position in the message sequence of the training message (Levy, ¶ [0080], teaches  since each log message is associated with a respective cluster and is mapped to the respective representative ; the data type of the cluster signature comprises the cluster token specifies the data type (Levy, ¶ [0079], teaches clustering the log message may significantly improve anomaly detection since inability to associate one or more of the log messages with respective cluster(s) may be highly indicative of one or more anomalies in the computing platforms, infrastructures, services, applications and/or processes to which the log messages relate. Moreover, based on further analysis, for example, a statistical analysis, statistics may be produced for the pattern(s) and/or value(s) of the un-clustered (unassociated) log message(s) to detect the anomaly type, its nature, characteristics and/or the like).  

Regarding claim 3, Levy teaches the claimed invention substantially as claimed, and Levy further teaches selecting the cluster signature comprises detecting that the cluster signature and the message signature have a same hash code (Levy, ¶ [0065], teaches find matching parts in two strings, or possibly in a list of any hash-able objects).  

Regarding claim 8, Levy teaches the claimed invention substantially as claimed, and Levy further teaches extracting, from the first message, a field name of at least one token of the sequence of tokens (Levy, ¶ [0096], teaches one or more of the training log messages may include the entire log message entity including, for example, metadata, extracted field(s) and/or the like. Each of the log messages may therefore .  

Regarding claim 9, Levy teaches the claimed invention substantially as claimed, and Levy further teaches calculating a cluster hash code based on at least one of: a same count of tokens in the sequence of tokens of each message in the cluster, a same field name of a token in the sequence of tokens of each message in the cluster, or a same string value consisting of punctuation for a token in the sequence of tokens of each message in the cluster (Levy, ¶ [0065], teaches using one or more text comparison methods, techniques and/or algorithms for example, “gestalt pattern matching” (based on Ratcliff and Obershelp method), regex and/or the like adapted to find matching parts in two strings, or possibly in a list of any hash-able objects. Levy, ¶ [0076], teaches by arranging the log messages to present only their common representative string patterns (of their associated clusters) and a count of the log messages clustered to each of the clusters, the visualization of the log messages may be further improved allowing efficient presentation of the log files to one or more users, for example, an analyst using the log messages to analyze the process, service and/or application relating to the log messages. Further, Levy, ¶ [0111], teaches the log messages analyzer may apply a regular expressions detector and/or the like to identify one or more of the known (regular) expressions, patterns, symbols and/or the like in the .  

Regarding claim 10, Levy teaches the claimed invention substantially as claimed, and Levy further teaches said cluster and a second cluster of messages comprise same said cluster hash code (Levy, ¶ [0065], teaches find matching parts in two strings, or possibly in a list of any hash-able objects).  

Regarding claim 11, Levy teaches the claimed invention substantially as claimed, and Levy further teaches the method further comprises generating a message signature based on the first sequence of tokens (Levy, ¶ [0145], teaches the log messages analyzer may use the extracted representative string patterns for calculating the string distance and cluster accordingly additional training log messages accordingly during the training phase as well as non-training log messages during the run-time phase. The representative string patterns comprises a common string pattern shared by all the training log messages associated with the respective cluster and may include one or more constant tokens and/or one or more variable fields adapted to receive a plurality of values included in the log messages of associated with the respective cluster); calculating said message hash code is based on the message signature (Levy, ¶ [0149], teaches the log messages analyzer may align the training log messages of the cluster using one or more alignment algorithms and identify matching tokens (parts) in the training log messages using one or more of the text comparison methods, techniques and/or algorithms, for example, “gestalt pattern matching” and/or the like adapted to find matching parts in two strings, or possibly in a list of any hash-able objects. Using these algorithms, the log messages analyzer may identify matching constant parts among the plurality of training log messages associated with the cluster and may define these constant parts as constant tokens in the representative string pattern).  

Regarding claim 12, Levy teaches the claimed invention substantially as claimed, and Levy further teaches the cluster signature is said message signature when the cluster of messages contains only the first message (Levy, ¶ [0064], teaches since clustering the log messages essentially relies on calculating the string distance between the processed log message and the representative string pattern of each of the clusters, the clustering model may be regarded as structure (e.g. a tree) of representative string patterns. The representative string pattern extracted for each of the clusters may be selected and/or constructed using one or more implementations. In the most naïve implementation, the representative string pattern of a certain cluster may simply be one of the training log messages already clustered (associated) to the certain cluster. This may be the case specifically when the certain cluster contains only a single log message).  

Regarding claim 13, Levy teaches the claimed invention substantially as claimed, and Levy further teaches the cluster has a cluster signature that is compatible with the message signatures of the messages of the cluster (Levy, ¶ [0043], teaches the representative string pattern is a fundamental element in clustering the log messages. Therefore in order to accurately and efficiently represent the log message(s) associated with each cluster the respective representative string pattern may be constructed to include constant tokens and variable fields common to the associated messages where the variable fields may accept different values in different log messages); adding said first message to the cluster comprises, in response to detecting that the message signature of the first message is incompatible with the cluster signature, adjusting the cluster signature to be a generalization of the message signatures of each of: the first message and the messages of the cluster (Levy, ¶ [0046], teaches two or more of the plurality of clusters of the clustering model are merged to create a new unified cluster in case the string distance between the representative string pattern of the at least two clusters is within a predefined merging threshold. Merging clusters may allow adapting the clustering model to accurately follow the structure and content of the log messages. This may significantly improve accuracy of the clustering model which may significantly improve accuracy, efficiency and/or rapidness in processing the log messages).  

Regarding claim 14, Levy teaches the claimed invention substantially as claimed, and Levy further teaches said plurality of data types comprises a generic type that is compatible with any value (Levy, ¶ [0070], teaches high entropy, .  

Regarding claim 15, Levy teaches the claimed invention substantially as claimed, and Levy further teaches said training comprises training a message parser that is selected, based on the first message, from a plurality of message parsers (Levy, ¶ [0061], teaches prior to the clustering process, either during the training phase and/or during the run-time phase, the log messages are partitioned (divided) to one or more subsets based on one or more attributes common to the respective subset of log messages, for example, a metadata value (if available) describing, for example, a type of the log message, a log level and/or the like, a length of the training log message, a number of variables identified within the training log message and/or the like).  

Regarding claim 16, Levy teaches the claimed invention substantially as claimed, and Levy further teaches the first message encodes a hierarchical structure such that at least one token of the sequence of tokens comprises a value comprising a second sequence of tokens (Levy, ¶ [0062], teaches during the training phase, the clustering model, for example, a tree (decision tree), a list and/or the like is created by clustering together training log messages according to a similarity of the textual content of the training log messages. Levy, ¶ [0098], teaches using the .  

Regarding claim 17, Levy teaches the claimed invention substantially as claimed, and Levy further teaches at least one token of the sequence of tokens comprises at least one of: a) a value and a field name, and/or b) a hash code of the value and/or a hash code of the field name (Levy, ¶ [0043], teaches the representative string pattern of one or more of the plurality of clusters is created by extracting a common string pattern shared by all training log messages associated with the one or more clusters, the common string pattern comprising one or more constant tokens and one or more variable fields adapted to receive a plurality of values included in the log messages of a respective cluster).  

Regarding claim 18, Levy teaches the claimed invention substantially as claimed, and Levy further teaches the cluster signature comprises a sequence of tokens (Levy, ¶ [0067], teaches for one or more of the clusters, one or more constant tokens may be identified which may slightly vary among a multitude of training log messages associated with the respective cluster. In such case the slightly varying tokens may be replaced with respective variable fields in the representative string pattern thus the textual content of the multitude of log messages conforms to the representative string pattern); each token of the sequence of tokens comprises a set of possible data types and respective probabilities (Levy, ¶ [0159], teaches the ; the method further comprises, upon completion of said training, for each token in the sequence of tokens of the cluster signature, removing, from the set of possible data types, all data types except a data type with a highest respective probability (Levy, ¶ [0111], teaches the log messages analyzer may further remove from the training log messages irrelevant and/or unnecessary marks, signs and/or the like from the training log messages, for example, a punctuation sign, a comment sign and/or the like).  

Regarding claim 19, Levy teaches one or more non-transitory computer-readable media storing instructions that, when executed by one or more processors (Levy, ¶ [0101], teaches the processor(s) may execute one or more software modules, for example, a process, a script, an application, an agent, a utility, a tool and/or the like each comprising a plurality of program instructions stored in a non-transitory medium such as the storage and executed by one or more processors such as the processor(s). For example, the processor(s) may execute a log messages analyzer module for analyzing the plurality of training log messages during a training , cause: generating, based on a message sequence of tokens that were extracted from a training message, a message signature (Levy, ¶ [0057], teaches the clustering of the log messages is done in two phases, first during a training phase a clustering model is created using a plurality of training log messages and during a run-time phase the clustering model may be used to cluster a plurality of actual (non-training) log messages); matching the message signature to a cluster signature that represents a plurality of messages of a cluster of a plurality of clusters that have distinct signatures (Levy, ¶ [0065-0066], teaches the associated log messages may be analyzed, for example, using one or more text comparison methods, techniques and/or algorithms for example, “gestalt pattern matching” (based on Ratcliff and Obershelp method), regex and/or the like adapted to find matching parts in two strings, or possibly in a list of any hash-able objects … Using these text comparison algorithms, matching constant part(s) may be identified in all training log messages associated with a respective cluster and defined as constant tokens in the representative string pattern of the respective cluster); adding the training message to the cluster  (Levy, ¶ [0063], teaches in case the calculated string distance between the textual content of a respective training log message and the represented string pattern of one of the clusters is within (does not exceed) a predefined (distance) threshold, the respective training log message is associated (clustered) with the respective cluster. In case the calculated string distance between the textual content of a respective training log message and the represented string pattern of any of the clusters exceeds the predefined threshold, a new cluster is created in (added to) the ; extracting, based on a data type of the cluster signature, a data value from content of a second message (Levy, ¶ [0058], teaches one or more of the log messages may further include one or more additional elements, for example, a metadata and/or the like while other elements of the log message may be removed, for example, an extracted field, an extracted symbol and/or the like. The textual content of each log message may therefore include a text structure comprising one or more tokens (lexical tokens) which may include a token name and/or a token value, for example, an identifier assigned in a computer (software) program, a keyword used by the computer program, a separator (punctuator), an operator, a symbol, a literal (a numeric, a logical, a textual, a symbolic and/or a reference literal), a comment (e.g. line, block, etc.) and/or the like).  


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 4-7, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Application Publication, US 20190370347, to Tomer Levy et al, hereinafter “Levy”, in view of U.S. Patent Application Publication, US 20100088522, to John Barrus et al, hereinafter “Barrus”.

Regarding claim 4, Levy teaches a method (Levy, ¶ [0057], teaches there are provided methods and systems for clustering a plurality of log messages received from one or more originating sources and relating to one or more computing platforms, infrastructures, services, applications, processes and/or the like) comprising: training by: calculating a message code based on a first sequence of tokens that were extracted from a first message (Levy, ¶ [0062], teaches the training phase is an iterative process in which each training log message is compared for similarity to previously processed training log messages. The similarity may be evaluated using, for example, a string metric such as, for example, Levenshtein distance and/or the like to calculate a string distance between the textual content of each processed training log message and a representative string pattern of each of the clusters); adding said first message to a cluster of messages that have same said message code (Levy, ¶ [0063], teaches in case the calculated string distance between the textual content of a respective training log message and the represented string pattern of one of the clusters is within (does not exceed) a predefined (distance) threshold, the respective training log message is associated (clustered) with the respective cluster. In case the calculated string distance between the textual content of a respective training log message and the represented string pattern of any of the clusters exceeds the predefined threshold, a new cluster is created in (added to) the clustering model for the respective training log message); and -50-50277-5323 (ORA 180523-US-NP)generating, based on said cluster of messages, a cluster signature that describes said cluster of messages (Levy, ¶ [0065-0066], teaches the associated log messages may be analyzed, for example, using one or more text comparison methods, techniques and/or algorithms for example, “gestalt pattern matching” (based on Ratcliff and Obershelp method), regex and/or the like adapted to find matching parts in two strings, or possibly in a list of any hash-able objects … Using these text comparison algorithms, matching constant part(s) may be identified in all training log messages associated with a respective cluster and defined as constant tokens in the representative string pattern of the respective cluster); after said training: extracting a second sequence of tokens from a second message (Levy, ¶ [0058], teaches one or more of the log messages may further include one or more additional elements, for example, a metadata and/or the like while other elements of the log message may be removed, for example, an extracted field, an extracted symbol and/or the like. The textual content of each log message may therefore include a text structure comprising one or more tokens (lexical tokens) which may include a token name and/or a token value, for example, an identifier assigned in a computer (software) program, a keyword used by the computer program, a separator (punctuator), an operator, a symbol, a literal (a numeric, a logical, a textual, a symbolic and/or a reference literal), a comment (e.g. line, block, etc.) and/or the like); calculating same said message code based on said second sequence of tokens (Levy, ¶ [0145], teaches the log messages analyzer may use the extracted representative string patterns for calculating the string distance and cluster accordingly additional training log messages accordingly during the training phase as well as non-training log messages during the run-time phase. The representative string patterns comprises a common string pattern shared by ; selecting, based on said message code, said cluster signature (Levy, ¶ [0149], teaches the log messages analyzer may align the training log messages of the cluster using one or more alignment algorithms and identify matching tokens (parts) in the training log messages using one or more of the text comparison methods, techniques and/or algorithms, for example, “gestalt pattern matching” and/or the like adapted to find matching parts in two strings, or possibly in a list of any hash-able objects. Using these algorithms, the log messages analyzer may identify matching constant parts among the plurality of training log messages associated with the cluster and may define these constant parts as constant tokens in the representative string pattern); and parsing, based on a data type of a token of said cluster signature, said second message (Levy, ¶ [0104], teaches the process is an iterative process in which the log messages analyzer process each of the plurality of training log messages compared to previously processed training log messages. Initially the clustering model is empty, i.e. comprises no clusters. Levy, ¶ [0111], teaches the log messages analyzer may preprocess the training log messages. The log messages analyzer may analyze, for example, parse, scan, explore, inspect and/or the like each of the training log messages to identify one or more known (regular) expressions, patterns, symbols and/or the like in the training log messages and replace them with respective predefined expressions, symbols, identifiers and/or the like); wherein the method is performed by one or more computers (Levy, ¶ [0093], teaches reference is also made to FIG. 2, .  
Levy teaches the limitations as identified above. 
Levy does not explicitly teach: the message code is a message hash code as claimed in the series of limitations.
However, Barrus teaches the message code is a message hash code (Barrus, ¶ [0048-0049], teaches a log is to create a sequence of records where each record is made up of a message, Mi, and a rolling checksum, ri. The rolling checksum is so named because it is computed from the current message and the previous checksum, and thus changes with each record. The rolling hash for the ith record can be computed as: r i=hash(r i−1 ·M i) where the message and the previous checksum are concatenated (represented by the “.”) and provided to the hash function … If one of the messages in the log is modified, or one of the checksums in the log is modified, then with high probability the subsequent checksum value recorded in the log will not correspond to the hash of the message and previous checksum. Thus modifying a record in a manner that cannot be detected would require changing the message and recomputing all subsequent checksums).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the teachings of Levy (disclosing training 

Regarding claim 5, the modification of Levy and Barrus teaches the claimed inventions substantially as claimed, and Levy further teaches wherein said first sequence of tokens comprises at least one fuzzy token that specifies a plurality of possible data types for the fuzzy token (Levy, ¶ [0070], teaches high entropy, exceeding a predefined splitting threshold, detected for a certain variable field of a plurality of log messages associated (clustered) with certain cluster may indicate that the variable field is indeed a variable since the certain variable field receives many different values (patterns) for different log messages. Levy, ¶ [0159], teaches the log files analyzer may analyze entropy between the values of each of one or more variables identified for a plurality of training log messages associated with a respective cluster. The higher the entropy for a certain variable field, the more different values this variable field gets in at least some of the associated training log messages hence the probability that the variable is indeed a variable is high. In contrast, the lower the entropy for a certain variable identified for a plurality of training log messages associated with a respective cluster, the less different values this variable gets in the associated training log messages).  

Regarding claim 6, the modification of Levy and Barrus teaches the claimed inventions substantially as claimed, and Levy further teaches wherein the at least one fuzzy token comprises a respective association of a respective probability with each type of the plurality of possible data types (Levy, ¶ [0159], teaches the log files analyzer may analyze entropy between the values of each of one or more variables identified for a plurality of training log messages associated with a respective cluster. The higher the entropy for a certain variable field, the more different values this variable field gets in at least some of the associated training log messages hence the probability that the variable is indeed a variable is high. In contrast, the lower the entropy for a certain variable identified for a plurality of training log messages associated with a respective cluster, the less different values this variable gets in the associated training log messages).  

Regarding claim 7, the modification of Levy and Barrus teaches the claimed inventions substantially as claimed, and Levy further teaches wherein the plurality of possible data types does not include a respective association of a type with a respective zero probability (Levy, ¶ [0129-0130], teaches the log messages analyzer receiving the exemplary training log messages may construct the clustering model as follows. The example further relates to an initial training step of the clustering model when there are no clusters defined by the clustering model and hence the log messages analyzer fails to find a matching pattern for the received exemplary training log messages … Processing and calculating the string distance for the first training log .  

Regarding claim 20, Levy teaches one or more non-transitory computer-readable media storing instructions that, when executed by one or more processors  (Levy, ¶ [0101], teaches the processor(s) may execute one or more software modules, for example, a process, a script, an application, an agent, a utility, a tool and/or the like each comprising a plurality of program instructions stored in a non-transitory medium such as the storage and executed by one or more processors such as the processor(s). For example, the processor(s) may execute a log messages analyzer module for analyzing the plurality of training log messages during a training phase and clustering them to create a clustering model comprising a plurality of clusters each grouping together one or more training log messages), cause: training by: calculating a message code based on a first sequence of tokens that were extracted from a first message (Levy, ¶ [0062], teaches the training phase is an iterative process in which each training log message is compared for similarity to previously processed training log messages. The similarity may be evaluated using, for example, a string metric such as, for example, Levenshtein distance and/or the like to calculate a string distance between the textual content of each processed training log message and a representative string pattern of each of the clusters); adding said first message to a cluster of messages that have same said message code (Levy, ¶ [0063], teaches in case the calculated string distance between the textual content of a respective training log message and the represented string pattern of one of the clusters ; and generating, based on said cluster of messages, a cluster signature that describes said cluster of messages (Levy, ¶ [0065-0066], teaches the associated log messages may be analyzed, for example, using one or more text comparison methods, techniques and/or algorithms for example, “gestalt pattern matching” (based on Ratcliff and Obershelp method), regex and/or the like adapted to find matching parts in two strings, or possibly in a list of any hash-able objects … Using these text comparison algorithms, matching constant part(s) may be identified in all training log messages associated with a respective cluster and defined as constant tokens in the representative string pattern of the respective cluster); after said training: extracting a second sequence of tokens from a second message (Levy, ¶ [0058], teaches one or more of the log messages may further include one or more additional elements, for example, a metadata and/or the like while other elements of the log message may be removed, for example, an extracted field, an extracted symbol and/or the like. The textual content of each log message may therefore include a text structure comprising one or more tokens (lexical tokens) which may include a token name and/or a token value, for example, an identifier assigned in a computer (software) program, a keyword used by the computer program, a separator (punctuator), an operator, a symbol, a literal (a numeric, a logical, a textual, a symbolic and/or a reference literal), a ; calculating same said message code based on said second sequence of tokens (Levy, ¶ [0145], teaches the log messages analyzer may use the extracted representative string patterns for calculating the string distance and cluster accordingly additional training log messages accordingly during the training phase as well as non-training log messages during the run-time phase. The representative string patterns comprises a common string pattern shared by all the training log messages associated with the respective cluster and may include one or more constant tokens and/or one or more variable fields adapted to receive a plurality of values included in the log messages of associated with the respective cluster); -53-50277-5323 (ORA 180523-US-NP)selecting, based on said message code, said cluster signature (Levy, ¶ [0149], teaches the log messages analyzer may align the training log messages of the cluster using one or more alignment algorithms and identify matching tokens (parts) in the training log messages using one or more of the text comparison methods, techniques and/or algorithms, for example, “gestalt pattern matching” and/or the like adapted to find matching parts in two strings, or possibly in a list of any hash-able objects. Using these algorithms, the log messages analyzer may identify matching constant parts among the plurality of training log messages associated with the cluster and may define these constant parts as constant tokens in the representative string pattern); and parsing, based on a data type of a token of said cluster signature, said second message (Levy, ¶ [0104], teaches the process is an iterative process in which the log messages analyzer process each of the plurality of training log messages compared to previously processed training log messages. Initially the clustering model is empty, i.e. comprises no clusters. Levy, ¶ [0111], teaches the log messages analyzer .
Levy teaches the limitations as identified above. 
Levy does not explicitly teach: the message code is a message hash code as claimed in the series of limitations.
However, Barrus teaches the message code is a message hash code (Barrus, ¶ [0048-0049], teaches a log is to create a sequence of records where each record is made up of a message, Mi, and a rolling checksum, ri. The rolling checksum is so named because it is computed from the current message and the previous checksum, and thus changes with each record. The rolling hash for the ith record can be computed as: r i=hash(r i−1 ·M i) where the message and the previous checksum are concatenated (represented by the “.”) and provided to the hash function … If one of the messages in the log is modified, or one of the checksums in the log is modified, then with high probability the subsequent checksum value recorded in the log will not correspond to the hash of the message and previous checksum. Thus modifying a record in a manner that cannot be detected would require changing the message and recomputing all subsequent checksums).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the teachings of Levy (disclosing training log messages) to include the teachings of Barrus (disclosing maintaining a tamper proof .


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US PGPub 20160092552 (Morfonios et al) discloses analyzing sets of data in an efficient manner, such that analytics can be effectively performed over that data. Classification operations can be performed to generate groups of similar log records. This permits classification of the log records in a cohesive and informative manner.


Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALICIA M ANTOINE whose telephone number is (571)431-0687.  The examiner can normally be reached on Mon - Fri: 9am - 3pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, PIERRE M VITAL can be reached on 571-272-4215.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/ALICIA M ANTOINE/Examiner, Art Unit 2162                                                                                                                                                                                                        12/01/2021