DETAILED ACTION
The action is in response to communications filed on 12/20/2021
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiners Amendment

An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with the Applicant's representative Vikas Bharagava on January 10 2022. 
The application has been amended as follows:

In the claims
1.	(Currently Amended) A method, comprising: 
as implemented by a component in a data processing pipeline,
extracting a first token having a first value and a second token having a second value the first token extracted from the first raw machine data element first character string in the first raw machine data element that represents the first value, and wherein the second token extracted from the first raw machine data element comprises a second character string in the first raw machine data element that represents the second value;
comparing the the first and second tokens extracted from the first raw machine data element to a data pattern , wherein the data pattern comprises the first token having a third value in a first position in the data pattern and the second token having a fourth value in a second position in the data pattern; 
determining that [[a]] the first value of [[a]] the first token extracted from the first raw machine data element is anomalous in response to the comparison of the first and second tokens extracted from the first raw machine data element to the data pattern, wherein the first value of the first token is determined to be anomalous prior to the first raw machine data element being indexed and stored in a data intake and query system;
determining that [[a]] the second value of [[a]] the second token extracted from the first raw machine data element is non-anomalous;
extracting the first token having a fifth value and the second token having a sixth value from a second raw machine data element;
determining that [[a]] the fifth extracted from the second raw machine data element is anomalous and that [[a]] the sixth extracted from the second raw machine data element is non-anomalous;
performing a statistical function on the second value of the second token extracted from the first raw machine data element and the sixth of the second token extracted from the second raw machine data element; 
determining that the second token corresponds to a range of values when the first token has an anomalous value based on performing the statistical function; and
causing display of information indicating that has when has 
2.	(Currently Amended) The method of Claim 1, wherein determining that [[a]] the fifth extracted from the second raw machine data element is anomalous and that [[a]] the sixth extracted from the second raw machine data element is non-anomalous further comprises:
extracting the first token and the second token from the second raw machine data element, the second raw machine data element generated by the one or more components in the information technology environment prior to generation of the first raw machine data element;
comparing the first token and the second token extracted from the second raw machine data element to the pattern 
determining that the fifth extracted from the second raw machine data element to the pattern 
storing the sixth extracted from the second raw machine data element, wherein the sixth or a maximum value in the range of values.
3.	(Currently Amended) The method of Claim 1, wherein determining that [[a]] the fifth extracted from the second raw machine data element is anomalous and that [[a]] the sixth extracted from the second raw machine data element is non-anomalous further comprises:
extracting the first token and the second token from the second raw machine data element, the second raw machine data generated by the one or more components in the information technology environment prior to generation of the first raw machine data element;
comparing the first token and the second token extracted from second raw machine data element to the pattern 
determining that the fifth extracted from the second raw machine data element is anomalous in response to the comparison of the first token and the second token extracted from the second raw machine data element to the pattern 
storing the sixth extracted from the second raw machine data element, wherein the sixth 
having a seventh value and the second token having an eighth value from a third raw machine data element, the third raw machine data element generated by the one or more components in the information technology environment prior to generation of the first raw machine data element;
comparing the first token and the second token extracted from the third raw machine data element to the pattern 
determining that [[a]] the seventh extracted from the third raw machine data element is anomalous in response to the comparison of the first token and the second token extracted from the third raw machine data element to the pattern 
storing [[a]] the eighth extracted from the third raw machine data element, wherein the eighth 
4.	(Currently Amended) The method of Claim 1, further comprising:
extracting the first token and the second token from the second raw machine data element, the second raw machine data element generated by the one or more components in the information technology environment prior to generation of the first raw machine data element;
comparing the first token and the second token extracted from the second raw machine data element to the pattern 
determining that the fifth extracted from the second raw machine data element is anomalous in response to the comparison of the first token extracted from the second raw machine data element to the pattern 
storing the sixth extracted from the second raw machine data element, wherein the sixth 
extracting the first token having a seventh value and the second token having an eighth value from a third raw machine data element, the third raw machine data element generated by the one or more components in the information technology environment prior to generation of the first raw machine data element;
comparing the first token and the second token extracted from the third raw machine data element to the pattern 
determining that [[a]] the seventh extracted from the third raw machine data element is anomalous in response to the comparison of the first token and the second token extracted from the third raw machine data element to the pattern 
storing [[a]] the eighth extracted from the third raw machine data element, wherein the eighth 
extracting the first token having a ninth value and the second token having a tenth value from a fourth raw machine data element, the fourth raw machine data element generated by the one or more components in the information technology environment prior to generation of the first raw machine data element;
extracted from the fourth raw machine data element to the pattern 
determining that [[a]] the ninth extracted from the fourth raw machine data element is not anomalous in response to the comparison of the first token and the second token extracted from the fourth raw machine data element to the pattern 
determining that [[an]] the tenth extracted from the fourth raw machine data element does not fall within the range of values; and
determining that the range of values correlates to values of the first token being anomalous. 
5.	(Previously Presented) The method of Claim 1, wherein the second value of the second token matches a specific value.
6.	(Currently Amended) The method of Claim 1, further comprising: 
determining that a seventh 
causing display of information indicating that there is a correlation between the second token having the second value, the third token having the seventh 
7.	(Original) The method of Claim 1, wherein the information indicates that the first value of the first token is anomalous.
8.	(Original) The method of Claim 1, wherein the information comprises at least one of a notification, a table, a graph, a chart, or an annotated version of the raw machine data.

10.	(Currently Amended) The method of Claim 1, wherein extracting the first token having the first value and the second token having the second value the first raw machine data element further comprises extracting the first token and the second token 
11.	(Currently Amended) The method of Claim 1, wherein a stream of raw machine data is ingested into the data intake and query system in sequence, wherein the stream of raw machine data comprises the first raw machine data element, the second raw machine data element, and other raw machine data elements that follow the first raw machine data element in time, and wherein determining that [[a]] the first value of [[a]] the first token extracted from the first raw machine data element is anomalous further comprises determining that the first value of the first token 
12.	(Currently Amended) The method of Claim 1, wherein a stream of raw machine data is ingested into the data intake and query system in sequence, wherein the stream of raw machine data comprises the first raw machine data element, the second raw machine data element, and other raw machine data elements that follow the first raw machine data element in time, and wherein the method further comprises determining in sequence, for each of the other raw machine data elements, whether the respective other raw machine data element is anomalous as the respective other raw machine data element is ingested into the data intake extracted from the first raw machine data element is anomalous.
13.	(Currently Amended) The method of Claim 1, wherein extracting the first token having the first value and the second token having the second value first and second 
14.	(Currently Amended) The method of Claim 1, wherein extracting the first token having a first value and the second token having the second value first token and the second token extracted from the first raw machine data element, and wherein each element of the string vector corresponds to one of the first and second 
15.	(Currently Amended) The method of Claim 1, wherein determining that [[a]] the first value of [[a]] the first token extracted from the first raw machine data element is anomalous further comprises: 
assigning the first and second tokens extracted from the first raw machine data element pattern first and second tokens extracted from the first raw machine data element the 
determining that the first value of the first token is anomalous in response to an assignment of the first and second tokens extracted from the first raw machine data element 
Currently Amended) The method of Claim 1, wherein determining that [[a]] the first value of [[a]] the first token extracted from the first raw machine data element is anomalous further comprises: 
assigning the first and second tokens extracted from the first raw machine data element pattern first and second tokens extracted from the first raw machine data element the 
updating the minimum cluster distance based on a creation of the new data pattern; and
determining that the first value of the first token is anomalous in response to an assignment of the first and second tokens extracted from the first raw machine data element 
17.	(Currently Amended) The method of Claim 1, wherein determining that [[a]] the first value of [[a]] the first token extracted from the first raw machine data element is anomalous further comprises: 
assigning the first and second tokens extracted from the first raw machine data element pattern first and second tokens extracted from the first raw machine data element the first and second tokens extracted from the first raw machine data element are 
updating the minimum cluster distance based on a creation of the new data pattern; and
determining that the first value of the first token is anomalous in response to an assignment of the first and second tokens extracted from the first raw machine data element 
18.	(Currently Amended) The method of Claim 1, wherein determining that a first value of a first token in the one or more tokens extracted from the first raw machine data element is anomalous further comprises:
assigning the first and second tokens extracted from the first raw machine data element pattern first and second tokens extracted from the first raw machine data element the first and second tokens extracted from the first raw machine data element are assigned to the new data pattern prior to the first raw machine data element being indexed and stored in the data intake and query system;
updating the minimum cluster distance based on a creation of the new data pattern;

comparing the one or more third tokens extracted from the third raw machine data element to the pattern 
assigning the one or more third tokens extracted from the third raw machine data element to the 
19.	(Currently Amended) The method of Claim 1, further comprising:
assigning the first and second tokens extracted from the first raw machine data element pattern first and second tokens extracted from the first raw machine data element the first and second tokens extracted from the first raw machine data element are assigned to the new data pattern prior to the first raw machine data element being indexed and stored in the data intake and query system;
updating the minimum cluster distance based on a creation of the new data pattern;

comparing the one or more third tokens extracted from the third raw machine data element to the pattern 
assigning the one or more third tokens extracted from the third raw machine data element to the 
determining that the 
updating the 
20.	(Currently Amended) The method of Claim 1, further comprising:
assigning the first and second tokens extracted from the first raw machine data element pattern first and second tokens extracted from the first raw machine data element the first and second tokens extracted from the first raw machine data element 

extracting one or more third tokens from a third raw machine data element, the third raw machine data element generated by the one or more components in the information technology environment;
comparing the one or more third tokens extracted from the third raw machine data element to the pattern 
assigning the one or more third tokens extracted from the third raw machine data element to the extracted from the third raw machine data element and the third 
determining a distribution of token values at the third 
determining that a token value at the third third 
determining that the third raw machine data element corresponding to the one or more third tokens is anomalous in response to the token value at the third third 
21.	(Currently Amended) The method of Claim 1, further comprising:
assigning the first and second tokens extracted from the first raw machine data element pattern first and second tokens extracted from the first raw machine data element the first and second tokens extracted from the first raw machine data element 
updating the minimum cluster distance based on a creation of the new data pattern;
extracting a third token from a third raw machine data element, the third raw machine data element generated by the one or more components in the information technology environment;
comparing the third token extracted from the third raw machine data element to the pattern 
assigning the third token extracted from the third raw machine data element to the extracted from the third raw machine data element and the third 
determining a distribution of token values at the third 
determining that a token value at the third 
third element falling below the percentile;
determining that a seventh extracted from the third raw machine data element corresponds to the range of values; and
causing display of second information indicating that there is a correlation between the third token having the seventh element being anomalous.
22.	(Currently Amended) The method of Claim 1, wherein extracting the first token having the first value and the second token having the second value 
identifying one or more delimiters in the first raw machine data element; and
, identifying the first and second tokens from the first raw machine data element; 

23.	(Currently Amended) The method of Claim 1, further comprising:
extracting one or more third tokens from a third raw machine data element;
comparing the extracted one or more third tokens to the pattern 
seventh pattern 
determining that no token in the one or more third tokens is correlated with the fourth token having the seventh 
extracting a fifth token from the third raw machine data element;
determining that there is a correlation between the fifth token and the fourth token; and
causing display of information indicating that there is a correlation between the fifth token having an eighth 
24.	(Currently Amended) A system, comprising:
one or more data stores including computer-executable instructions; and
one or more processors configured to execute the computer-executable instructions, wherein execution of the computer-executable instructions causes the system to:
extract a first token having a first value and a second token having a second value the first token extracted from the first raw machine data element first character string in the first raw machine data element that represents the first value, and wherein the second token extracted from the first raw machine data element comprises a second character string in the first raw machine data element that represents the second value;
compare the the first and second tokens extracted from the first raw machine data element to a pattern , wherein the data pattern comprises the first token having a third value in a first position in the data pattern and the second token having a fourth value in a second position in the data pattern; 
determine that [[a]] the first value of [[a]] the first token extracted from the first raw machine data element is anomalous in response to the comparison of the first and second tokens extracted from the first raw machine data element to the data pattern, wherein the first value of the first token is determined to be anomalous prior to the first raw machine data element being indexed and stored in a data intake and query system;
determine that [[a]] the second value of [[a]] the second token extracted from the first raw machine data element is non-anomalous;
extract the first token having a fifth value and the second token having a sixth value from a second raw machine data element;
determine that [[a]] the fifth extracted from the second raw machine data element is anomalous and that [[a]] the sixth extracted from the second raw machine data element is non-anomalous;
statistical function on the second value of the second token extracted from the first raw machine data element and the sixth of the second token extracted from the second raw machine data element; 
determining that the second token corresponds to a range of values when the first token has an anomalous value based on performing the statistical function; and
cause display of information indicating that has when has 
25.	(Currently Amended) The system of Claim 24, wherein execution of the computer-executable instructions further causes the system to:
extract the first token and the second token from the second raw machine data element, the second raw machine data element generated by the one or more components in the information technology environment prior to generation of the first raw machine data element;
compare the first token and the second token extracted from the second raw machine data element to the pattern 
determine that the fifth pattern 
sixth extracted from the second raw machine data element, wherein the sixth or a maximum value in the range of values.
26.	(Original) The system of Claim 24, wherein the information comprises at least one of a notification, a table, a graph, a chart, or an annotated version of the raw machine data.
27.	(Currently Amended) The system of Claim 24, wherein execution of the computer-executable instructions further causes the system to:
extract one or more third tokens from a third raw machine data element;
compare the extracted one or more third tokens to the pattern 
determine that a seventh pattern 
determine that no token in the one or more third tokens is correlated with the fourth token having the seventh 
extract a fifth token from the third raw machine data element;
determine that there is a correlation between the fifth token and the fourth token; and
cause display of information indicating that there is a correlation between the fifth token having an eighth 
28.	(Currently Amended) Non-transitory computer-readable media comprising instructions executable by a computing system to:
a first token having a first value and a second token having a second value the first token first character string in the first raw machine data element that represents the first value, and wherein the second token comprises a second character string in the first raw machine data element that represents the second value;
compare the the first and second tokens extracted from the first raw machine data element to a data pattern , wherein the data pattern comprises the first token having a third value in a first position in the data pattern and the second token having a fourth value in a second position in the data pattern; 
determine that [[a]] the first value of [[a]] the first token extracted from the first raw machine data element is anomalous in response to the comparison of the first and second tokens extracted from the first raw machine data element to the data pattern, wherein the first value of the first token is determined to be anomalous prior to the first raw machine data element being indexed and stored in a data intake and query system;
determine that [[a]] the second value of [[a]] the second token extracted from the first raw machine data element is non-anomalous;
extract the first token having a fifth value and the second token having a sixth value from a second raw machine data element;
the fifth extracted from the second raw machine data element is anomalous and that [[a]] the sixth extracted from the second raw machine data element is non-anomalous;
perform a statistical function on the second value of the second token extracted from the first raw machine data element and the sixth of the second token extracted from the second raw machine data element; [[to]] 
determine that the second token corresponds to a range of values when the first token has an anomalous value based on performing the statistical function; and
cause display of information indicating that has when has 
29.	(Currently Amended) The non-transitory computer-readable media of Claim 28, further comprising instructions executable by a computing system to:
extract the first token and the second token from the second raw machine data element, the second raw machine data element generated by the one or more components in the information technology environment prior to generation of the first raw machine data element;
compare the first token and the second token extracted from the second raw machine data element to the pattern;
determine that the fifth of the first token and the second token extracted from the second raw machine data element to the data pattern; and
store the sixth extracted from the second raw machine data element, wherein the sixth or a maximum value in the range of values.
30.	(Currently Amended) The non-transitory computer-readable media of Claim 28, further comprising instructions executable by a computing system to:
extract one or more third tokens from a third raw machine data element;
compare the extracted one or more third tokens to the pattern 
determine that a seventh 
determine that no token in the one or more third tokens is correlated with the fourth token having the seventh 
extract a fifth token from the third raw machine data element;
determine that there is a correlation between the fifth token and the fourth token; and
cause display of information indicating that there is a correlation between the fifth token having an eighth 


Reasons for Allowance

	The following is an examiner’s statement of reasons for allowance:
	The closest prior art of record Furbish US10496817 discloses a system to identify anomalous value in account data by comparing account data with a baseline and if value exceed threshold for baseline it is determined to be an anomaly. Muddu et al. US2017/0063896 teaches outgoing traffic log of devices to be processed prior to being input into the system determining if an anomaly exists, determination is made then data is stored and queried using index.
	After further consideration of the prior records of art, the prior art alone or in combination do not in combination with the other limitations of the independent claim teach or disclose the inventive concept of related tokens being used such that if a certain token is within a certain range than another related token is deemed to be anomalous. The limitations of the inventive concept in combination with the other limitations of the independent claims make it novel and unobvious over the prior art of record.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALLEN S LIN whose telephone number is (571)270-0612.  The examiner can normally be reached on M-F 9-5.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ALLEN S LIN/Examiner, Art Unit 2153