DETAILED ACTION
Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Regarding U.S. provisional application 63/119,500, Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) is acknowledged. 
Information Disclosure Statement
The information disclosure statement submitted on 09/15/2022 has been considered by the examiner.
Claim Objections
Claims 7 and 18 are objected to because of the following informalities:
Claim 7 recites “receiving selection, through the interactive interface, selection of a particular cluster in the set of one or more clusters” in lines 2-3.  The term “selection” appears twice in such limitation and its use appears to be redundant.  The examiner suggests amending this limitation as follows: “receiving , through the interactive interface, selection of a particular cluster in the set of one or more clusters”
Claim 18 recites “receiving selection, through the interactive interface, selection of a particular cluster in the set of one or more clusters” in lines 2-4. The term “selection” appears twice in such limitation and its use appears to be redundant.  The examiner suggests amending this limitation as follows: “receiving , through the interactive interface, selection of a particular cluster in the set of one or more clusters”
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 10 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 10 recites the limitation "the at least one automated action" in line 1.  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
Claim 1 recites a method for responding to a request to cluster a set of records, actually generating a set of one or more clusters, and then performing an action based on the at least one cluster.  Under the broadest reasonable interpretation, the limitations cover performance in the human mind with the assistance of physical aids (e.g., pen and paper), e.g., the “Mental Processing” grouping of abstract ideas.  For example:
receiving a request to cluster a set of records; (e.g., a person, such as an IT analyst or system administrator, can receive a request to analyze a set of system log files to look for specific error events, and to organize particular log files and log lines into clusters, where such log files can be physical paper printouts of logs)
responsive to receiving the request to cluster the set of records, identifying at least one dictionary that is associated with a set of one or more tokens and at least one of a set of one or more token weights or a set of one or more rules; (e.g., the person, such as an IT analyst or system administrator, can identify a paper manual, e.g., a dictionary, that contains guidelines for how to determine clusters, e.g., a set of one or more rules, along with word lists, indices, and glossaries assigning points to different key words, event types, and error types, e.g., a set of one or more tokens with corresponding token weights)
generating, based at least in part on the set of one or more tokens and at least one of the set of one or more token weights or the set of one or more rules associated with the dictionary, a set of one or more clusters, wherein each cluster in the set of one or more clusters represents a unique subset of one or more tokens associated with the dictionary and groups, from the set of records, a subset of one or more records mapped to the unique subset of one or more tokens associated with the dictionary; and (e.g., the person, such as an IT analyst or system administrator, can use the manual to organize the log records and log lines into clusters, where each cluster is represented by a unique keyword or set of keywords to represent the cluster, such as the cluster of log lines related to memory buffer overruns, the cluster of log lines related to login failures, etc.)
performing at least one action based on at least one cluster in the set of one or more clusters. (e.g., the person, such as an IT analyst or system administrator, can use the clusters of log records and log lines to perform an action, e.g., to troubleshoot that a particular system is running low on memory and physically installing additional memory modules, or that a particular individual seems to keep forgetting his/her password, and walking over to give some password tips to that individual).
This judicial exception is not integrated into a practical application. In particular, while the claim recites computer-related terms such as “tokens” and “clusters”, under the broadest reasonable interpretation such terms are not limited to the computer field of use. Moreover, the claimed “tokens” and “clusters” are recited at a high-level of generality such that they amount to no more than mere instructions to apply the exception using generic computer components and functions. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Claim 1 is directed to an abstract idea.
Claim 1 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using generic computer components and functions amounts to no more than mere instructions to apply the exception using generic computer components and functions. Mere instructions to apply an exception using generic computer components cannot provide an inventive concept. The claim is not patent eligible.
	Claims 2-6 depend from claim 1 and do not remedy any of the deficiencies recited in claim 1 and are therefore rejected under the same grounds as claim 1 above.  
Claim 2 merely recites the mental processes for associating token weights with negative sentiments.  
Claim 3 recites domain-specific dictionaries (e.g., a manual for the software testing domain, a manual for e-mail systems, a manual for firewalls, etc.) and having corresponding token weights associated with the meaning in such domain (e.g., certain words in log records may have different meanings for e-mail systems, firewalls, and software testing, respectively).  
Claim 4  merely recites utilizing first and second domain-specific dictionaries and using such dictionaries to generate first and second clusters of log records, which is merely the same mental processes as set forth with respect to claim 1 as applied to additional domains.  
Claim 5 recites using first and second dictionaries to generate first and second clusters, where at least one cluster in the second set of clusters groups recording based on at least one token that is not in the first dictionary, and again is merely the same mental processes as set forth with respect to claim.
Claim 6 recites that a cluster may correspond to a first set of tokens but not a second set of tokens, and again is merely the same mental process as set forth with respect to claim 1.
Therefore, with respect to claims 2-6, none of these claims recite limitations that amount to anything more than the same or a similar abstract idea as recited in claim 1. Nor do any of these claims recite limitations that sufficiently (a) integrate the abstract idea into a practical application because they does not impose any meaningful limits on practicing the abstract idea or (b) amount to significantly more than the judicial exception, because the additional limitations of using generic computer components and functions amount to no more than mere instructions to apply the exception using generic computer components and functions.  

Claim 7 depends from claim 1 and does not remedy any of the deficiencies recited in claim 1 and is therefore rejected under the same grounds as claim 1 above.  Claim 7 further recites an “interactive interface” having first and second layers permitting a user to display the clusters and aggregated information associated with log records mapped to the subset of one or more tokens represented by the selected cluster.  Except for the “interactive” portion of the interface, claim 7 merely recites the mental processes of aggregating (e.g., summarizing) cluster information, such as if a IT analyst wrote a summary of a cluster record on a piece of paper (e.g., “lines X, Y, and Z in these records all pertain to memory buffer overruns), where the summary is written with 2 levels (e.g., level 1 is a reproduction of the log lines at issue, and level 2 is a summary of commonalities).
This judicial exception is not integrated into a practical application. In particular, while the claim recites “interactive interface” such interface is recited at a high-level of generality such that it amounts to no more than mere instructions to apply the exception using generic computer components and functions. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Moreover, displaying information via an interface is merely insignificant extra-solution activity.  MPEP 2106.04 I.
Claim 7 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. With respect to the claimed “interactive interface” having first and second layers, such an interactive interface with two or more layers, is well-known, routine, and conventional activity, as evidenced by at least:
US 20160255236 A1 (Roche et al. – filed 02/28/2015) at para. 0014 and Fig. 3: discloses “conventional” user interface that utilizes multiple layers of an interactive electronic display user interface.
US 20190336767 A1 (Kelpfer et al. – filed 05/03/2018) at para. 0122 and Fig. 8: it is “understood that various arrangements of one or more interactive windows, screens, tabs, pull down menus, or the like may be displayed in user interface”.
US 20090100339 A1 (Wharton-Ali, et al. – filed 12/01/2006) at para. 0056 and Fig. 3: “interface elements such as menus, buttons, and other like interactive items are known to the skilled artisan to be interchangeable”
US 20060129447 A1 (Dockery et al. – filed 12/16/2004) at para. 0032: “conventional user interfaces for interactive operation at multiple levels”

Claims 8-9 depend from claim 1 and do not remedy any of the deficiencies recited in claim 1 and are therefore rejected under the same grounds as claim 1 above.  
Claim 8 merely recites the mental process of, responsive to receiving a second request from a user, to add at least one token extracted from a log record to at least one dictionary (e.g., reading a log file, identifying a word/log line, and inserting it into a paper manual, e.g., a dictionary).
Claim 9 merely recites the mental process of mapping a unique combination of tokens represented by a particular cluster to at least one descriptive label (e.g., identifying some keywords that represent a cluster, e.g., a cluster related to memory buffer overruns).
Therefore, with respect to claims 8-9, none of these claims recite limitations that amount to anything more than the same or a similar abstract idea as recited in claim 1. Nor do any of these claims recite limitations that sufficiently (a) integrate the abstract idea into a practical application because they does not impose any meaningful limits on practicing the abstract idea or (b) amount to significantly more than the judicial exception, because the additional limitations of using generic computer components and functions amount to no more than mere instructions to apply the exception using generic computer components and functions.  

Claim 10 depends from claim 1 and does not remedy any of the deficiencies recited in claim 1 and is therefore rejected under the same grounds as claim 1 above.  Claim 10 further recites:
wherein the at least one automated action comprises at least one of presenting a recommended remedy to address behavior represented by a particular cluster of log records, (e.g., an IT analyst reviewing a cluster of log records and determining a recommended remedy, e.g., recommending procuring additional memory to prevent memory buffer overruns and presenting such recommendation to a procurement professional within the same organization)
applying a patch to one or more resources associated with the particular cluster of log records, or (e.g., an IT analyst reviewing a cluster of log records and determining that a particular software application is running an old software version and looking up and applying certain software patches to bring the software up-to-date)
adjusting one or more configuration settings associated with the one or more resources associated with the particular cluster of log records. (e.g., an IT analyst reviewing a cluster of log records and deciding to change some configuration settings, e.g., apply more virtual memory to address memory buffer overruns)
This judicial exception is not integrated into a practical application. In particular, while the claim recites computer-related terms such as “automated” and “patch” and “configuration settings”, under the broadest reasonable interpretation such terms are not limited to the computer field of use. Moreover, the claimed limitations are recited at a high-level of generality such that they amount to no more than mere instructions to apply the exception using generic computer components and functions. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Claim 10 is directed to an abstract idea.
Claim 10 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using generic computer components and functions amounts to no more than mere instructions to apply the exception using generic computer components and functions. Mere instructions to apply an exception using generic computer components cannot provide an inventive concept. The claim is not patent eligible.
Claim 11 depends from claim 1 and does not remedy any of the deficiencies recited in claim 1 and is therefore rejected under the same grounds as claim 1 above.  Claim 11 further recites determining if a token is not an exact match a token represented by a cluster, but including the token in the subset of records anyway based on similarity (e.g., a person could mentally read and determine that the token “memory_buffer_overrun” is not exactly the same, but is similar to, “memory_buffer_overflow” and assign the tokens to the same group”. Therefore, with respect to claim 11, none of these claims recite limitations that amount to anything more than the same or a similar abstract idea as recited in claim 1. Nor do any of these limitations sufficiently (a) integrate the abstract idea into a practical application because they does not impose any meaningful limits on practicing the abstract idea or (b) amount to significantly more than the judicial exception, because the additional limitations of using generic computer components and functions amount to no more than mere instructions to apply the exception using generic computer components and functions.  

Claim 12 recites instructions that when executed by the one or more hardware processors correspond to the method of claim 1, and therefore claim 12 is rejected under the same grounds as discussed above with respect to claim 1.  The additional elements of claim 12 directed to “non-transitory computer-readable medium”, “instructions, and “one or more hardware processors” are merely generic computer components and functions that do not (a) integrate the abstract idea into a practical application because they does not impose any meaningful limits on practicing the abstract idea or (b) amount to significantly more than the judicial exception, because the additional limitations of using generic computer components and functions amount to no more than mere instructions to apply the exception using generic computer components and functions.  

	Claim 13 depends from claim 12 and claims a non-transitory computer-readable medium storing instructions executed by one or more hardware processors that correspond to the method of claim 2, and therefore claim 13 is rejected under the same grounds as claims 2 and 12 above.
	Claim 14 depends from claim 12 and claims a non-transitory computer-readable medium storing instructions executed by one or more hardware processors that correspond to the method of claim 3, and therefore claim 14 is rejected under the same grounds as claims 3 and 12 above.

Claim 15 depends from claim 12 and claims a non-transitory computer-readable medium storing instructions executed by one or more hardware processors that correspond to the method of claim 4, and therefore claim 15 is rejected under the same grounds as claims 4 and 12 above.
Claim 16 depends from claim 12 and claims a non-transitory computer-readable medium storing instructions executed by one or more hardware processors that correspond to the method of claim 5, and therefore claim 16 is rejected under the same grounds as claims 5 and 12 above.
Claim 17 depends from claim 12 and claims a non-transitory computer-readable medium storing instructions executed by one or more hardware processors that correspond to the method of claim 6, and therefore claim 17 is rejected under the same grounds as claims 6 and 12 above.
Claim 18 depends from claim 12 and claims a non-transitory computer-readable medium storing instructions executed by one or more hardware processors that correspond to the method of claim 7, and therefore claim 18 is rejected under the same grounds as claims 7 and 12 above.
Claim 19 depends from claim 12 and claims a non-transitory computer-readable medium storing instructions executed by one or more hardware processors that correspond to the method of claim 8, and therefore claim 19 is rejected under the same grounds as claims 8 and 12 above.
Claim 20 depends from claim 12 and claims a non-transitory computer-readable medium storing instructions executed by one or more hardware processors that correspond to the method of claim 9, and therefore claim 20 is rejected under the same grounds as claims 9 and 12 above.
	
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 6, 9, 11, 12, 17, and 20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Enuka et al., US 20200311414 A1, hereinafter referenced as ENUKA.

Regarding claim 1, ENUKA discloses:
A method comprising: (computer-implemented method of clustering a plurality of documents; para. 0008)
receiving a request to cluster a set of records; (Fig. 3, step 305, one or more documents are retrieved to add to a cluster; para. 0052; Fig. 8, correlator component 833 is employed to preprocess documents and cluster documents according to the methods set forth in ENUKA and orchestrator component 831 calls and coordinates separate handlers and/or microservices, including correlator 833, e.g., orchestrator 831 requests correlator 833 to preprocess and cluster documents and correlator 833 receives such request from orchestrator 831, e.g.; paras. 0105, 0108)
responsive to receiving the request to cluster the set of records, (orchestrator component 831 calls and coordinates separate handlers and/or microservices, including correlator 833, e.g., orchestrator 831 requests correlator component 833 to preprocess and clusters documents, and correlator 833 receives such requests from orchestrator 831; paras. 0105, 0108) identifying at least one dictionary that is associated with a set of one or more tokens and at least one of a set of one or more token weights or a set of one or more rules; (during preprocessing, words in the document are tokenized and then each token is mapped to a unique ID number using a dictionary comprising a vocabulary of terms; paras. 0037-0039; bag-of-words analyses, e.g., rules, are performed to determine the number of occurrences of each token in the document, e.g., weights; para. 0042)
generating, based at least in part on the set of one or more tokens and at least one of the set of one or more token weights or the set of one or more rules associated with the dictionary, a set of one or more clusters, (Fig. 3, at step 340, the correlator 833 determines if a document should be added to an existing cluster 350 or a new cluster should be created 345, e.g., generate a new set of one or more clusters; para. 0067; a similarity score is computed between the current document feature vector and the cluster feature vector, such as via a cosine similarity score; para. 0061; the document feature vector is a bag-of-words, e.g., rules, numerical vector that represents tokens and the number of occurrences, e.g., token weights; paras. 0037, 0042) wherein each cluster in the set of one or more clusters represents a unique subset of one or more tokens associated with the dictionary and groups, from the set of records, a subset of one or more records mapped to the unique subset of one or more tokens associated with the dictionary; and (each cluster generally describes a group of documents that can be represented by a cluster feature vector, cluster hash list, or other cluster identification information, e.g., a cluster represents a unique subset of documents, which comprises one or more tokens associated with the dictionaries, where uniqueness is determined by a feature vector, hash list, or other identification information; para. 0051; for example, a cluster is represented by an average of the feature vectors for all the documents associated with a cluster, where documents that have a similarity score ranging from 0.9-0.97 are assigned to that cluster; paras. 0062-0063)
performing at least one action based on at least one cluster in the set of one or more clusters. (Fig. 3, step 370, after all documents have been assigned to a matching cluster, the system attempts to merge or combine similar clusters; para. 0072; downstream applications utilize dynamic clustering by displaying clusters and resulting information/statistics, such as cluster size, number of personal data found in the cluster, etc.; para. 0081; Fig. 6, method 600 for determining and displaying keywords from a cluster that are representative of the cluster; para. 0082)

Regarding claim 6, ENUKA discloses the method of claim 1.  ENUKA further discloses:
wherein generating the set of one or more clusters comprises:
selecting a first subset of tokens from the at least one dictionary based at least in part on token weights associated with tokens from the at least one dictionary; and (e.g., selecting tokens corresponding to a first document, e.g., first subset of tokens, from the dictionary, where tokens are selected based on the bag-of-words occurrence values, e.g., tokens in the dictionary should have an occurrence of at least 1; paras. 0037-0042)
clustering the set of records using the first subset of tokens; (Fig. 3, at step 340, the correlator 833 determines if a first set of documents, e.g., set of records, should be added to an existing cluster 350 or a new cluster should be created 345, e.g., generate a new set of one or more clusters, where a document feature vector for a document, e.g., a vector corresponding to the first subset of tokens, is compared to clusters to determine if the document belongs to the cluster or a new cluster needs to be created; paras. 0042, 0061, 0067)
wherein a second subset of tokens that have not been selected are not used to cluster the set of records. (e.g., the first set of documents does not contain certain words corresponding to tokens in the dictionary, e.g., second subset of tokens, and therefore the second subset of tokens are not part of the document feature vectors for any documents in the first set of documents and are not used to cluster any of the first set of documents;  0042, 0061, 0067)

Regarding claim 9, ENUKA discloses the method of claim 1.  ENUKA further discloses:
mapping a unique combination of tokens represented by a particular cluster in the set of one or more clusters to at least one descriptive label that describes at least one behavior represented by the particular cluster. (Fig. 7, documents in a particular cluster are labeled to identify the documents as belonging to a particular category (e.g., sensitive, marketing, financial, etc. – categorization exemplifies “behavior”, or a common function) where the cluster is represented by certain important tokens or keywords, e.g., unique combination of tokens; paras. 0084-0091; the examiner notes that the broadest reasonable interpretation of “behavior” in view of the specification includes a keyword pattern as disclosed in paragraph 0093 in the instant specification)

Regarding claim 11, ENUKA discloses the method of claim 1.  ENUKA further discloses:
wherein at least one record in the subset of records does not include an exact match to the subset of one or more tokens represented by the cluster; (Fig. 3, steps 310 and 315, a similarity score of a current document feature vector and current cluster feature vector is calculated and compared to a threshold, where any value under 1.00 is not an exact match under a cosine similarity distance metric; paras. 0061-0063)
wherein the at least one record is included in the subset of records based on a similarity between an extracted keyword and at least one keyword in the unique combination of tokens. (e.g., Fig. 3, steps 310 and 315, a similarity score of a current document feature vector and current cluster feature vector is calculated and compared to a threshold, where a high similarity score (from 0.9) indicates that the current document belongs to the current cluster, where the similarity score is based on a current feature vector, e.g., having an extracted keyword, and a cluster feature vector, e.g., a vector having keywords in the combination of tokens related to the cluster; paras. 0061-0063)

	Regarding claim 12, ENUKA discloses
A non-transitory computer-readable medium storing instructions which, when executed by one or more hardware processors, cause: (embodiments are implemented as computer programs executed using a processor, where storage includes non-transitory program carriers or other forms of computer readable media, e.g., hard disks, RAM, EPROM, EEPROM; paras. 0115-0120)
The remaining limitations in claim 12 claim instructions that when executed by the one or more hardware processors correspond to the method of claim 1, and therefore claim 12 is rejected under 35 USC 102 under the same grounds as claim 1 above with respect to ENUKA.

Claim 17 depends from claim 12 and claims a non-transitory computer-readable medium storing instructions executed by one or more hardware processors that correspond to the method of claim 6, and therefore claim 17 is rejected under the same grounds as claims 6 and 12 above.
Claim 20 depends from claim 12 and claims a non-transitory computer-readable medium storing instructions executed by one or more hardware processors that correspond to the method of claim 9, and therefore claim 20 is rejected under the same grounds as claims 9 and 12 above.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 2 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over ENUKA in view of Allen et al., US 20150066814 A1, hereinafter referenced as ALLEN.

Regarding claim 2, ENUKA discloses the method of claim 1.  However, ENUKA fails to explicitly teach:
a token weight for a given token is generated, at least in part, on a sentiment associated with a corresponding token, 
wherein a negative sentiment increases a weight given to the token.

	However, in a related field of endeavor, ALLEN discloses an approach for using natural language processing (NLP) to analyze data logs.  (para. 0004).  Log records are analyzed for words with potential negative connotations because such words are likely to be in close proximity to error messages.  (para. 0043).

	The ENUKA-ALLEN combination makes obvious:
a token weight for a given token is generated, at least in part, on a sentiment associated with a corresponding token, (ALLEN teaches that log files are analyzed using NLP techniques to determine words that have a negative sentiment and negative sentiment scores are assigned to particular sections or lines of data logs; ALLEN, paras. 0040-0044; the ENUKA-ALLEN combination now applies to the log records of ALLEN and in addition to a bag-of-words analysis, also embeds a token weight associated with the negative sentiment score of ALLEN; ENUKA, paras. 0037-39, 0042 with ALLEN, paras. 0040-0044)
wherein a negative sentiment increases a weight given to the token. (ALLEN teaches that negative sentiment scores are emphasized due to their likely proximity to an error message; ALLEN, para. 0043; the ENUKA-ALLEN combination now applies to the log records of ALLEN and in addition to a bag-of-words analysis, also embeds a token weight associated with the negative sentiment score of ALLEN, where a more negative sentiment score further increases the weight given to the respect token; ENUKA, paras. 0037-39, 0042 with ALLEN, paras. 0040-0044)

	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine the NLP sentiment analysis teachings of ALLEN to ENUKA.  As disclosed in ALLEN, one of ordinary skill would be motivated to do so because with respect to log records, words with negative connotations are more likely to relate to potential error messages.  (para. 0043).  One of ordinary skill would further be motivated to utilize the teachings of ALLEN to help software developers perform software tracing, where collections of log files can now be clustered to more readily identify and highlight clusters of error messages.  (paras. 0001, 0004).

	Claim 13 depends from claim 12 and claims a non-transitory computer-readable medium storing instructions executed by one or more hardware processors that correspond to the method of claim 2, and therefore claim 13 is rejected under the same grounds as claims 2 and 12 above.

Claims 3-5 and 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over ENUKA in view of Huang, Shaohan, et al. "Paddy: An event log parsing approach using dynamic dictionary." NOMS 2020-2020 IEEE/IFIP Network Operations and Management Symposium. IEEE, (June 8, 2020), pp. 1-8, hereinafter referenced as HUANG.

Regarding claim 3, ENUKA discloses the method of claim 1.  However, ENUKA fails to explicitly teach:
wherein the at least one dictionary includes a domain-specific dictionary generated for a particular domain, 
wherein a token weight associated with a corresponding token is determined, at least in part, by a meaning of the corresponding token in the particular domain.

However, in a related field of endeavor, HUANG pertains to an event log parsing approach that uses dynamic dictionaries to parse log files. (p. 2, section 1 and Fig. 2).  A dynamic dictionary is used to map and index tokens to log candidate templates.  (p. 2, section II.A and pp. 3-4, section II.E).  Template candidates are ranked and scored using similarity and length features.  (p. 3, section II.D).  

The ENUKA-HUANG combination makes obvious:
wherein the at least one dictionary includes a domain-specific dictionary generated for a particular domain, (HUANG discloses using domain knowledge, typically regular expressions, to preprocess log files; HUANG, pp. 2-3, section II.B; the pre-processed log files are tokenized, ranked, and used to create and update a dynamic dictionary, e.g., a domain-specific dictionary; HUANG, pp. 3-4, sections II.C-E; domain knowledge includes commonly-used variables for the domain, such as IP address and block ID, e.g., common variables used for a particular type of log file; HUANG, pp. 3-4, section II.E; the ENUKA-HUANG combination now applies to the log records of HUANG and modifies the dictionary to include the dynamic dictionary teachings of HUANG, including pre-processing log files using domain knowledge for the type of log file; ENUKA, paras. 0037-39, 0042 with Huang, pp. 2-4, sections II.B-II.E)
wherein a token weight associated with a corresponding token is determined, at least in part, by a meaning of the corresponding token in the particular domain. (ENUKA discloses that a bag-of-words analysis is performed to determine the number of occurrences of each token in the document, e.g., weights; para. 0042; HUANG discloses that each token is associated with a list of IDs of log template candidates, where each log template candidate has an associated fitting score; HUANG, pp. 2-3, sections II.A and II.D; the ENUKA-HUANG combination now applies to the log records in a particular domain as disclosed by HUANG and modifies the token embeddings in the dictionary to include a list of IDs of log template candidates and their associated fitting scores as in HUANG, e.g., token weights based at least in part on a “meaning of the corresponding token in the particular domain.”; ENUKA, para. 0042 with HUANG, pp. 2-3, sections II.A and II.D; the examiner notes that the broadest reasonable interpretation of “meaning of the corresponding token in the particular domain” includes determining frequency of how often a particular token appears as explained in paras. 0045-0046 in the instant specification)

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine the teachings of HUANG with ENUKA.  As disclosed in HUANG, one of ordinary skill would be motivated to utilize the improved log parsing techniques with dynamic dictionaries to convert raw log files to structured log templates. (p. 1, section 1).  One of ordinary skill would understand that these structured log templates would help developers better analyze and understand log data and to extract key diagnostic information with respect to failure events. (p. 1, section 1).  
The examiner notes that one of ordinary skill would further be motivated to convert log files to structured log templates to improve the clustering as taught by ENUKA to provide downstream applications with meaningful insights about resulting information/statistics, such as cluster size and representative keywords, to better perform data mining and analysis. (ENUKA, paras. 0081, 0082).

Regarding claim 4, ENUKA discloses the method of claim 1.  However, ENUKA fails to explicitly teach:
wherein the at least one dictionary includes a first domain-specific dictionary generated for a first domain and a second domain-specific dictionary generated for a second domain; 
wherein generating the set of one or more clusters comprises generating a first set of clusters for log records associated with the first domain using the first domain-specific dictionary and 
generating a second set of clusters for log records associated with the second domain using the second domain-specific dictionary.

However, in a related field of endeavor, HUANG pertains to an event log parsing approach that uses dynamic dictionaries to parse log files. (p. 2, section 1 and Fig. 2).  The system in HUANG was tested on 16 different data sets for various types of log files, e.g., domains.  (p. 4, Table 1, summarizing the different data sets).  A dynamic dictionary was constructed for each data set, which led to the HUANG PADDY system having the best accuracy for some of the log datasets that other systems had accuracy problems with due to their short log messages that lacked much information.  (p. 5, section III.D).  

The ENUKA-HUANG combination makes obvious:
wherein the at least one dictionary includes a first domain-specific dictionary generated for a first domain and a second domain-specific dictionary generated for a second domain; (HUANG discloses 16 different log data sets, e.g., each a domain, and a dynamic dictionary is created and updated using domain knowledge for each, for example, distributed system logs such as HDFS, Spark, OpenStack may each be sub-domains of the distributed system domain, and Windows, Linux, and Mac are sub-domains of the operating system domain, where the types of logs, error messages, and token words used in each domain and each sub-domain may differ; HUANG, pp. 2-4, sections II.A-E and Table 1, section III.D; the ENUKA-HUANG combination now applies the dynamic dictionary teachings of HUANG, including pre-processing log files using domain knowledge for the type of log file, and applies the ENUKA clustering system and data analysis system to the various domains disclosed in HUANG; ENUKA, paras. 0037-39, 0042 with Huang,. 2-4, sections II.A-E and Table 1, section III.D)
wherein generating the set of one or more clusters comprises generating a first set of clusters for log records associated with the first domain using the first domain-specific dictionary and (the ENUKA-HUANG combination now has correlator 833 in ENUKA apply to the log files of HUANG, where log files from a first domain, e.g., distributed systems domain, are clustered by correlator 833 in ENUKA using a dictionary of ENUKA that has been modified to include the dynamic dictionary teachings of HUANG, including pre-processing log files using domain knowledge for a first dataset related to distributed systems, e.g., first domain; ENUKA, paras. 0037-39 with Huang, pp. 2-4, sections II.B-II.E, table 1)
generating a second set of clusters for log records associated with the second domain using the second domain-specific dictionary. (the ENUKA-HUANG combination now has correlator 833 in ENUKA apply to the log files of HUANG, where log files from a second domain, e.g., operating systems domain, are clustered by correlator 833 in ENUKA using a dictionary of ENUKA that has been modified to include the dynamic dictionary teachings of HUANG, including pre-processing log files using domain knowledge for a second dataset related to operating systems, e.g., second domain; ENUKA, paras. 0037-39 with Huang, pp. 2-4, sections II.B-II.E, table 1)

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine the teachings of HUANG with ENUKA.  As disclosed in HUANG, one of ordinary skill would be motivated to utilize the improved log parsing techniques with dynamic dictionaries to convert raw log files to structured log templates. (p. 1, section 1).  One of ordinary skill would understand that these structured log templates would help developers better analyze and understand log data and to extract key diagnostic information with respect to failure events. (p. 1, section 1).  
The examiner notes that one of ordinary skill would further be motivated to convert log files to structured log templates to improve the clustering as taught by ENUKA to provide downstream applications with meaningful insights about resulting information/statistics, such as cluster size and representative keywords, to better perform data mining and analysis. (ENUKA, paras. 0081, 0082).

Regarding claim 5, ENUKA discloses the method of claim 1.  ENUKA further discloses:
wherein the set of one or more clusters is generated using a first dictionary; (Fig. 3, at step 340, the correlator 833 determines if a document should be added to an existing cluster 350 or a new cluster should be created 345, e.g., generate a new set of one or more clusters; para. 0067; a similarity score is computed between the current document feature vector and the cluster feature vector, such as via a cosine similarity score; para. 0061; the document feature vector is a bag-of-words, e.g., rules, numerical vector that represents dictionary tokens and the number of occurrences, e.g., token weights; paras. 0037-0039, 0042)

However, ENUKA fails to explicitly teach:
wherein the method further comprises: 
generating a second set of clusters using a second dictionary that includes at least one token that is not in the first dictionary, wherein each cluster in the second set of clusters represents a unique combination of tokens from the second dictionary
wherein at least one cluster in the second set of clusters groups records based on the at least one token that is not in the first dictionary.

However, in a related field of endeavor, HUANG pertains to an event log parsing approach that uses dynamic dictionaries to parse log files. (p. 2, section 1 and Fig. 2).  The system in HUANG was tested on 16 different data sets for various types of log files, e.g., domains.  (p. 4, Table 1, summarizing the different data sets).  

The ENUKA-HUANG combination makes obvious:
	wherein the method further comprises:
generating a second set of clusters using a second dictionary that includes at least one token that is not in the first dictionary, wherein each cluster in the second set of clusters represents a unique combination of tokens from the second dictionary; (HUANG discloses creating and updating dynamic dictionaries using domain knowledge, where domain knowledge includes commonly-used variables and key words, e.g., “IP Address” and “Block ID”; HUANG, pp. 2-4, sections II.A-E; ENUKA discloses generating clusters that can be represented by a cluster feature vector, cluster hash list, or other cluster identification information, e.g., a cluster represents a unique subset of documents, which comprises one or more tokens associated with the dictionaries, where uniqueness is determined by a feature vector, hash list, or other identification information; ENUKA, para. 0051; the ENUKA-HUANG combination now generates a second set of clusters using the ENUKA clustering techniques using a dynamic dictionary, e.g., a dynamic dictionary for operating system domain, where each cluster in the second set of clusters for the operating system logs represents a cluster with its own cluster feature vector, e.g., a cluster represents a unique subset of log files and corresponding tokens, where uniqueness is determined by a feature vector, hash list, or other identification information; ENUKA, paras. 0037-0042, 0051, with HUANG, pp. 2-4, sections II.A-E)
wherein at least one cluster in the second set of clusters groups records based on the at least one token that is not in the first dictionary. (HUANG discloses 16 different log data sets, for example, distributed system logs such as HDFS and Hadoop may each be sub-domains of the distributed system domain, and Windows, Linux, and Mac are sub-domains of the operating system domain, where the types of logs, error messages, and token words used in each domain and each sub-domain may differ; HUANG, pp. 2-4, sections II.A-E and Table 1; the ENUKA-HUANG combination now has first set of clusters related to a first domain of log files, e.g., distributed system log files, and a second set of clusters for a second domain of log files, e.g., operating system log files, where a cluster in the operating system domain is based on tokens related to mouse and keyboard IRQ failures of the host computer, and the cluster for distributed systems has no tokens related to “mouse” or “keyboard” or “IRQ” because there are no log events related to such concepts; ENUKA, paras. 0037-0042, 0051, with HUANG, pp. 2-4, sections II.A-E)

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine the teachings of HUANG with ENUKA.  As disclosed in HUANG, one of ordinary skill would be motivated to utilize the improved log parsing techniques with dynamic dictionaries to convert raw log files to structured log templates. (p. 1, section 1).  One of ordinary skill would understand that these structured log templates would help developers better analyze and understand log data and to extract key diagnostic information with respect to failure events. (p. 1, section 1).  
The examiner notes that one of ordinary skill would further be motivated to convert log files to structured log templates to improve the clustering as taught by ENUKA to provide downstream applications with meaningful insights about resulting information/statistics, such as cluster size and representative keywords, to better perform data mining and analysis. (ENUKA, paras. 0081, 0082).

Claim 14 depends from claim 12 and claims a non-transitory computer-readable medium storing instructions executed by one or more hardware processors that correspond to the method of claim 3, and therefore claim 14 is rejected under the same grounds as claims 3 and 12 above.
Claim 15 depends from claim 12 and claims a non-transitory computer-readable medium storing instructions executed by one or more hardware processors that correspond to the method of claim 3, and therefore claim 15 is rejected under the same grounds as claims 4 and 12 above.
Claim 16 depends from claim 12 and claims a non-transitory computer-readable medium storing instructions executed by one or more hardware processors that correspond to the method of claim 5, and therefore claim 16 is rejected under the same grounds as claims 5 and 12 above.

Claims 7 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over ENUKA in view of Parthasarathy, US 20170169080 A1, hereinafter referenced as PARTHASARATHY.

Regarding claim 7, ENUKA discloses the method of claim 1.  However, ENUKA fails to explicitly teach:
presenting, via a first layer of an interactive interface, the set of one or more clusters;
receiving selection, through the interactive interface, selection of a particular cluster in the set of one or more clusters;
responsive to the selection, presenting, via a second layer of the interactive interface, aggregate information associated with log records mapped to the subset of one or more tokens represented by the selected cluster.

However, in a related field of endeavor, PARTHASARATHY discloses providing a user interface for a user to interact with and use summaries of lines of log data, where logs are clustered and summarized.  (paras. 0005, 0030).

The ENUKA-PARTHASARATHY combination makes obvious:
presenting, via a first layer of an interactive interface, the set of one or more clusters; (PARTHASARATHY in Fig. 1D discloses user interface 100, where 1000 log lines are summarized in 8 groups, e.g., each of the 8 clusters are depicted as a first layer; PARTHASARATHY, para. 0019; the ENUKA-PARTHASARATHY combination now utilizes the user interface of PARTHASARATHY to enable the downstream applications and cluster analyses discussed in ENUKA; ENUKA, para. 0081 with PARTHASARATHY, para. 0019)
receiving selection, through the interactive interface, selection of a particular cluster in the set of one or more clusters; (PARTHASARATHY in Fig. 1D shows user interface element 104, which enables the user to select the cluster relating to the “The health service HTTP module….”; PARTHASARATHY, para. 0021; the ENUKA-PARTHASARATHY combination now utilizes the user interface of PARTHASARATHY with user interface element 104 to enable the downstream applications and cluster analyses discussed in ENUKA; ENUKA, para. 0081 with PARTHASARATHY, paras. 0019, 0021)
responsive to the selection, presenting, via a second layer of the interactive interface, aggregate information associated with log records mapped to the subset of one or more tokens represented by the selected cluster. (PARTHASARATHY in Fig. 1E shows an expanded set of log lines, e.g., second layer of the interactive interface, when user interface element 104 is selected by the user; PARTHASARATHY, para. 0020; ENUKA discloses that downstream applications utilize dynamic clustering by displaying clusters and resulting information/statistics, such as cluster size, number of personal data found in the cluster, and representative token keywords, e.g., aggregate information representative of the cluster; paras. 0081-0082; the ENUKA-PARTHASARATHY combination now utilizes the user interface of PARTHASARATHY with user interface element 104 to display a second level of aggregated information, e.g., a second layer, where the second layer includes aggregated information related to particular representative keywords, e.g., representative tokens, of log lines in the cluster; ENUKA, paras. 0081, 0082 with PARTHASARATHY, paras. 0019-0021)

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine the user interface and log file teachings of PARTHASARATHY with ENUKA.  As disclosed in PARTHASARATHY, one of ordinary skill would be motivated to utilize the teachings of PARTHASARATHY in order to enable developers, DevOps teams, and IT professionals to cluster log file lines to better perform operational analytics.  (paras. 0002-0003).  One of ordinary skill would further be motivated to utilize the teachings of PARTHASARATHY in order to provide a user interface that summarizes similar lines, so that developers, DevOps teams, and IT professionals can easily review similar log files line at the same time.  (para. 0005).

Claim 18 depends from claim 12 and claims a non-transitory computer-readable medium storing instructions executed by one or more hardware processors that correspond to the method of claim 7, and therefore claim 18 is rejected under the same grounds as claims 7 and 12 above.

Claims 8 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over ENUKA in view of Agrahari, et al., US 20200349225 A1, hereinafter referenced as AGRAHARI and further in view of PARTHASARATHY.

Regarding claim 8, ENUKA discloses the method of claim 1.  However, ENUKA fails to explicitly teach:
receiving, from a user, a second request to add at least one token extracted from a log record to the at least one dictionary;
responsive to the request, adding the token to the at least one dictionary.

However, in a related field of endeavor, AGRAHARI pertains to a graphical user interface for visualizing markups amongst different versions of documents, such as contract documents, where different versions of the same document need to be stored and changes need to be tracked.  (paras. 0001, 0002).  A graphical user interface is provided so that a user can add tokens to a contract dictionary if desired.  (paras. 0004, 0037).

The ENUKA-AGRAHARI combination makes obvious:
receiving, from a user, a second request to add at least one token extracted from a record to the at least one dictionary; (AGRAHARI discloses that a user, via a graphical user interface, can request to add a string token from a contract to a contract dictionary; AGRAHARI, paras. 0004, 0037; the ENUKA-AGRAHARI combination now utilizes the graphical user interface of AGRAHARI so that users reviewing cluster records in ENUKA, e.g., downstream applications of clusters, are now permitted to manually add tokens extracted from a document into the dictionary, e.g., dictionaries are now displayable and editable if desired, where a user request is processed by orchestrator 831 which relays the request to correlator 833; ENUKA, paras. 0081, 0105 with AGRAHARI, paras. 0004, 0037).
responsive to the request, adding the token to the at least one dictionary. (AGRAHARI discloses that a user, via a graphical user interface, can add a string token from a contract to a contract dictionary; AGRAHARI, paras. 0004, 0037; the ENUKA-AGRAHARI combination now utilizes the graphical user interface of AGRAHARI so that users reviewing cluster records in ENUKA, e.g., downstream applications of clusters, are now permitted to manually add tokens extracted from a document into the dictionary, e.g., dictionaries are now displayable and editable if desired; ENUKA, para. 0081 with AGRAHARI, paras. 0004, 0037).

	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine the graphical user interface and manual addition of token to a dictionary features of AGRAHARI to ENUKA.  As disclosed in AGRAHARI, one of ordinary skill would be motivated to provide such a feature to provide an interface for multiple entities to work together in a computer-implemented collaborative working environment.  (para. 0002).  One of ordinary skill would further be motivated to utilize the teachings of AGRAHARI relating to providing visual distinctions to string tokens to assist the user in viewing similarities and differences, including highlighting tokens that may be desired to be added to a dictionary.  (paras. 0004-0005).

However, the ENUKA-AGRAHARI combination fails to explicitly teach:
a log record

However, in a related field of endeavor, PARTHASARATHY discloses providing a user interface for a user to interact with and use summaries of lines of log data, where logs are clustered and summarized.  (paras. 0005, 0030).

The ENUKA-AGRAHARI-PARTHASARATHY combination makes obvious:
receiving, from a user, a second request to add at least one token extracted from a log record to the at least one dictionary; (PARTHASARATHY discloses providing a user interface for interacting with log files; PARTHASARATHY, paras 0005, 0030; AGRAHARI discloses that a user, via a graphical user interface, can request to add a string token from a contract to a contract dictionary; AGRAHARI, paras. 0004, 0037; the ENUKA-AGRAHARI- PARTHASARATHY combination now utilizes the graphical user interface of AGRAHARI so that users reviewing cluster records in ENUKA of log files as disclosed in PARTHASARATHY, are now permitted to manually add tokens extracted from a document into the dictionary, e.g., dictionaries are now displayable and editable if desired, where a user request is processed by orchestrator 831 which relays the request to correlator 833; ENUKA, paras. 0081, 0105 with AGRAHARI, paras. 0004, 0037 and PARTHASARATHY, paras 0005, 0030).

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine the user interface and log file teachings of PARTHASARATHY with ENUKA and AGRAHARI.  As disclosed in PARTHASARATHY, one of ordinary skill would be motivated to utilize the teachings of PARTHASARATHY in order to enable developers, DevOps teams, and IT professionals to cluster log file lines to better perform operational analytics.  (paras. 0002-0003).  One of ordinary skill would further be motivated to utilize the teachings of PARTHASARATHY in order to provide a user interface that summarizes similar lines, so that developers, DevOps teams, and IT professionals can easily review similar log files line at the same time.  (para. 0005).

Claim 19 depends from claim 12 and claims a non-transitory computer-readable medium storing instructions executed by one or more hardware processors that correspond to the method of claim 8, and therefore claim 19 is rejected under the same grounds as claims 8 and 12 above.

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over ENUKA in view of Nidd et al., US 20210133622 A1, hereinafter referenced as NIDD, and further in view of Liu, Kui, et al. "Mining fix patterns for findbugs violations." IEEE Transactions on Software Engineering 47.1 (2018): pp. 165-188, hereinafter referenced as LIU.

Regarding claim 10, ENUKA discloses the method of claim 1.  However, ENUKA fails to explicitly teach:
wherein the at least one automated action comprises at least one of 
presenting a recommended remedy to address behavior represented by a particular cluster of log records,
applying a patch to one or more resources associated with the particular cluster of log records, or
adjusting one or more configuration settings associated with the one or more resources associated with the particular cluster of log records.

However, in a related field of endeavor, NIDD discloses machine learning-based event handler techniques.  NIDD explains that an event handling system generally refers to a software and/or hardware-based system configured for processing events fully or semi-automatically, typically with the aim of keeping a technical system, in particular an IT-system, up-and running and/or ensuring that a particular technical workflow currently performed by the technical system can continue without interruptions and failures.  (para. 0118).  IBM provides a suite of event handling systems, including IBM Netcool Impact for real-time automation, event preparation, and business impact analysis, IBM Netcool Configuration Manager, for automating configuration and change management tasks, IBM Operations Analytics – Log Analysis Managed, IBM Runbook Automation, for automation of common tasks, and IBM Alert Notification, including combinations of these systems.  (para. 0119).
	
	Therefore, the ENUKA-NIDD combination makes obvious:
wherein the at least one automated action comprises at least one of (NIDD discloses the IBM event handling suite, which includes log analysis, and automatic or semi-automatic systems for keeping an IT-system up-and-running; NIDD, paras. 0118, 0119; ENUKA discloses that dynamic clustering methods can be utilized by downstream applications; ENUKA, para. 0081; the ENUKA-NIDD combination now applies the ENUKA dynamic clustering techniques to log files as disclosed in NIDD, and now downstream applications, such as the IBM event handling suite, are able to utilize the clustering techniques as applied to log files to provide automatic and semi-automatic event handling, e.g., automated actions; ENUKA, para. 0081 with NIDD, paras. 0118-0119)
presenting a recommended remedy to address behavior represented by a particular cluster of log records, (NIDD discloses the IBM event handling suite, which includes log analysis, and automatic or semi-automatic systems for keeping an IT-system up-and-running; NIDD, paras. 0118, 0119; NIDD further discloses a process for automatically responding to events using a event resolution workflow to remedy or counteract an event, e.g., storage full; NIDD, paras. 0073, 0078; ENUKA discloses that dynamic clustering methods can be utilized by downstream applications; ENUKA, para. 0081; the ENUKA-NIDD combination now applies the ENUKA dynamic clustering techniques to log files as disclosed in NIDD, and now downstream applications, such as the IBM event handling suite, are able to utilize the clustering techniques as applied to log files to provide automatic and semi-automatic event handling using log analysis, such as automatic and semi-automatic alert notifications notifying IT personnel when a cluster representing a particular event is detected, e.g., a behavior represented by a cluster of log records, where such alert notifications trigger an event resolution workflow to remedy the event as disclosed in NIDD; ENUKA, para. 0081 with NIDD, paras. 0073, 0118-0119)
adjusting one or more configuration settings associated with the one or more resources associated with the particular cluster of log records. (NIDD discloses the IBM event handling suite; NIDD, paras. 0118, 0119; ENUKA discloses that dynamic clustering methods can be utilized by downstream applications; ENUKA, para. 0081; the ENUKA-NIDD combination now applies the ENUKA dynamic clustering techniques to log files as disclosed in NIDD, and now downstream applications, such as the IBM event handling suite, are able to utilize the clustering techniques as applied to log files to provide automatic and semi-automatic event handling, including using IBM Netcool Configuration Manager for automatically managing configurations, e.g., adjusting configuration settings, in view of events detected by the dynamic clustering techniques applied to log files; ENUKA, para. 0081 with NIDD, paras. 0118-0119)

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to apply the event handling teachings of NIDD to the dynamic clustering teachings of ENUKA.  As disclosed in NIDD, one of ordinary skill would be motivated to apply the NIDD event handling systems as a downstream application of the ENUKA clustering techniques to provide an improved event handling system or complex IT-systems that can better interpret event messages for automated self-monitoring and diagnosis.  (NIDD, paras. 0005-0006).  As disclosed in NIDD, one of ordinary skill would further be motivated to apply the teachings of NIDD to ENUKA in order to further enhance the downstream application of using the ENUKA clustering techniques to better create training data sets for machine learning.  (NIDD, paras. 0079-0082).

	However, the ENUKA-NIDD combination fails to explicitly disclose:
applying a patch to one or more resources associated with the particular cluster of log records

	However, in a related field of endeavor, LIU pertains to a system for mining patterns to find software bugs and to automatically repair software through the automatic generation of software patches.  (p. 167, section 2, p. 175, section 3.5, p. 185, section 5.4).  The examiner notes that ENUKA similarly pertains to pattern matching.  (ENUKA, paras. 0007, 0025).

	The ENUKA-NIDD-LIU combination makes obvious:
applying a patch to one or more resources associated with the particular cluster of log records (LIU discloses mining patterns to automatically generate patches and perform fully automated software repair; LIU, p. 167, section 2, p. 175, section 3.5, p. 185, section 5.4; the ENUKA-NIDD-LIU combination now applies the ENUKA dynamic clustering techniques to log files as disclosed in NIDD and bug reports as in LIU, and now downstream applications, such as the IBM event handling suite, are able to utilize the clustering techniques as applied to log files to provide automatic and semi-automatic event handling and to perform automated software repair as disclosed in LIU; ENUKA, para. 0081 with NIDD, paras. 0118-0119 and LIU, p. 167, section 2, p. 175, section 3.5, p. 185, section 5.4)

	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to apply the data mining and automated software repair teachings of LIU to ENUKA and NIDD.  As disclosed in LIU, one of ordinary skill in the art would be motivated to make such a combination in order to identify fix patterns to generation bug fixes automatically.  (pp. 185-186, section 6).  One of ordinary skill would be further motivated to apply the teachings of LIU to employ the x-means clustering algorithm disclosed in LIU to the dynamic clustering of ENUKA.  (p. 169, section 2.4.1).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20210117232 A1 (Sriharsha, et al.) discloses processing ingested pipeline metrics and ingested logs in an asynchronous manner as the data is being ingested to explain anomalies detected in the pipeline metrics using the ingested logs.  The anomy detection architecture (see Figs. 34, 35 at paras. 0790-0850), discloses analyzing log records to detect potential token anomalies, and a graphical user interface for allowing a user to analyze log records.
Dwaraki, Abhishek, et al. "Automated event identification from system logs using natural language processing." 2020 International Conference on Computing, Networking and Communications (ICNC). (March 30, 2020), pp. 209-215. Discloses applying natural language processing to system logs for automatic event identification.
Dai, Hetong, et al. "Logram: Efficient Log Parsing Using n-Gram Dictionaries." arXiv preprint arXiv:2001.03038 (Jan. 7, 2020). pp. 1-13.  Discloses log parsing using n-gram dictionaries, using regulation expressions to extract lists of tokens (see section 4), where tokens are assigned a frequency of occurrence, and a one-dimensional clustering method is applied to separate groups.
Nagappan, Meiyappan, et al. "Abstracting log lines to log event types for mining software system logs." 2010 7th IEEE Working Conference on Mining Software Repositories (MSR 2010). IEEE, 2010, pp. 114-117.  Discloses clustering similar frequency words in log files using automated analyses techniques for data mining.
Du, Min, et al. "Deeplog: Anomaly detection and diagnosis from system logs through deep learning." Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. 2017, pp. 1285-1298.  Discloses a density-based clustering approach for clustering log keys. (p. 1291, section 4.3).
Shima, Keiichi. "Length matters: Clustering system log messages using length of words." arXiv preprint arXiv:1611.03213 (2016), pp. 1-10.  Discloses a two-pass technique for clustering system log messages by using the length of words in syslog messages.
Tang, Liang, Tao Li, et al. "LogSig: Generating system events from raw textual logs." Proceedings of the 20th ACM international conference on Information and knowledge management. 2011, pp. 785-794.  Discloses analyzing system log data using clustering techniques to generate system events and representative message signatures.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL C LEE whose telephone number is (571)272-4933. The examiner can normally be reached M-F 9:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Andrew Flanders can be reached on 571-272-7516. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MICHAEL C. LEE/Examiner, Art Unit 2655                                                                                                                                                                                                        
/JESSE S PULLIAS/Primary Examiner, Art Unit 2655