DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 1-20 remain pending and are ready for examination.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/22/2021, 01/04/2022, 03/30/2022, 06/24/2022, were filed. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Step 1 Analysis:  
Independent claim 1 recites a system, independent claim 19 recites a method, independent claim 19 recites a computer program product. Therefore, step 1 is satisfied for claims 1-20.

Step 2A Prong One Analysis: the claim recites, inter alia:
The independent claims (1, 19 and 20) recite “determining a variance between the first set of status information results and the second set of status information results”: Those steps can be practically performed in the human mind with help pen and paper. For example,  A person of ordinary skill in the art can mentally perform data observation, evaluation, or judgment to determine variations between data. Thus, this limitation is construed to be directed to the abstract idea of mental processes.
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components. Accordingly, the claim recites an abstract idea.
Therefore, such steps fall within the “mental process” grouping of abstract idea set forth in the 2019 PEG section I, 84 FED. Reg. at 52. The recitation of a computing device in the claims does not negate the mental nature of these limitations because the claim merely uses the computing device as a tool to perform the otherwise mental process. See October Update at section I(C)(ii). Thus, the limitations recite concepts that fall into the “mental process” grouping of abstract ideas.

Step 2A Prong Two Analysis:  
This judicial exception is not integrated into a practical application. The only limitations not treated above, “receive … a user query”, “in response to receiving, via a user interface, a user input” and “receive a first set of status information results and a second set of status information results” involve the mere gathering of data, which is insignificant extra-solution activity.  See MPEP § 2106.05(g), the courts found Mere Data Gathering to be insignificant extra-solution activity for multiple cases, for example iv. Obtaining information about transactions using the Internet to verify credit card transactions, CyberSource v. Retail Decisions, Inc., 654 F.3d 1366, 1375, 99 USPQ2d 1690, 1694 (Fed. Cir. 2011). Wherein the obtaining information corresponds to receiving a data record. In particular, the claim only recites additional elements that are mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea. The independent claims recite the combination of the additional element,  one or more processors, and a non-transitory computer readable storage medium (in claim 20), to conduct the steps of “determining a variance between the first set of status information results and the second set of status information results”, See MPEP 2106.05(f). . Each of the additional limitations is no more than mere instructions to apply the exception using a generic computing device. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.

Step 2B Analysis:  
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using generic computer components to perform the abstract idea amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The recitation of “receive … a user query”, “in response to receiving, via a user interface, a user input” and “receive a first set of status information results and a second set of status information results” involve the mere gathering of data, which is insignificant extra-solution activity.  See MPEP § 2106.05(g), the courts found Mere Data Gathering to be insignificant extra-solution activity for multiple cases, for example iv. Obtaining information about transactions using the Internet to verify credit card transactions, CyberSource v. Retail Decisions, Inc., 654 F.3d 1366, 1375, 99 USPQ2d 1690, 1694 (Fed. Cir. 2011). Wherein the obtaining information corresponds to receiving a data record. The claim is not patent eligible.


	Regarding claim 2, the claim recites additional element of “a selection of … element” which involves the mere gathering of data, which is insignificant extra-solution activity.  See MPEP § 2106.05(g) the courts found Mere Data Gathering to be insignificant extra-solution activity for multiple cases, for example iv. Obtaining information about transactions using the Internet to verify credit card transactions, CyberSource v. Retail Decisions, Inc., 654 F.3d 1366, 1375, 99 USPQ2d 1690, 1694 (Fed. Cir. 2011). Wherein the obtaining information corresponds to receiving a data record. 

Regarding claim 3, the claim recites, “wherein the status information collected from the one or monitored devices includes at least one of log messages and metrics” step which merely expands on the abstract concept. Accordingly, claim 3 is directed to the same abstract idea of performing data observation, evaluation, or judgment to determine variations between data. As drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components. 


Regarding claim 4, the claim recites, “wherein the first and second sets of status information results are divided based at least in part on at least one of a spatial characteristic and a temporal characteristic” step which merely expands on the abstract concept. Accordingly, the claim is directed to the same abstract idea of select subset of data from among a list of data using any type of rule/criteria. As drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components. 

Regarding claim 5, the claim recites, “wherein the at least one of the spatial characteristic and the temporal characteristic comprises at least one of a time window, a set of nodes, and a cohort of users” step which merely expands on the abstract concept. Accordingly, the claim is directed to the same abstract idea of select subset of data from among a list of data using any type of rule/criteria. As drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components.

Regarding claim 6, the claim recites, “wherein the at least one of the spatial characteristic and the temporal characteristic is selected by default or selected by the user” step which merely expands on the abstract concept. Accordingly, the claim is directed to the same abstract idea of select subset of data from among a list of data using any type of rule/criteria. As drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components.

Regarding claim 7, the claim recites, “wherein generating the first query and the second query comprises rewriting the user query to include a set of operator components” step which merely expands on the abstract concept. Accordingly, the claim is directed to the same abstract idea of select subset of data from among a list of data using any type of rule/criteria. As drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components.

Regarding claim 8, the claim recites, “wherein the set of operator components includes a time shift operator component” step which merely expands on the abstract concept. Accordingly, the claim is directed to the same abstract idea of select subset of data from among a list of data using any type of rule/criteria. As drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components.

Regarding claim 9, the claim recites, “wherein the first and second sets of status information results comprise tables, and wherein the one or more processors are further configured to join the first and second sets of status information results on a key column” step which merely expands on the abstract concept. Accordingly, the claim is directed to the same abstract idea of select subset of data from among a list of data using any type of rule/criteria. As drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components.

Regarding claim 10, the claim recites, “wherein the first and second queries generated from the user query comprise a same query associated with different time ranges” step which merely expands on the abstract concept. Accordingly, the claim is directed to the same abstract idea of select subset of data from among a list of data using any type of rule/criteria. As drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components.

Regarding claim 11, the claim recites, “wherein the first and second queries generated from the user query comprise different queries associated with a same time range” step which merely expands on the abstract concept. Accordingly, the claim is directed to the same abstract idea of select subset of data from among a list of data using any type of rule/criteria. As drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components.

Regarding claim 12, the claim recites, “wherein the first and second queries generated from the user query comprise different queries associated with different time ranges” step which merely expands on the abstract concept. Accordingly, the claim is directed to the same abstract idea of select subset of data from among a list of data using any type of rule/criteria. As drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components.

Regarding claim 13, the claim recites, “wherein the user query comprises a query for log messages, and wherein the user input comprises an indication to compare a first group of log messages against a second group of log messages” step which merely expands on the abstract concept. Accordingly, the claim is directed to the same abstract idea of select subset of data from among a list of data using any type of rule/criteria. As drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components.

Regarding claim 14, the claim recites, “wherein the first and second sets of status information results comprise first and second sets of log messages” step which merely expands on the abstract concept. Accordingly, the claim is directed to the same abstract idea of select subset of data from among a list of data using any type of rule/criteria. As drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components.

Regarding claim 15, the claim recites, “cluster the first set of log messages and to cluster the second set of log messages, and wherein a cluster is associated with a corresponding signature comprising a template for log messages included in the cluster” step which merely expands on the abstract concept. Accordingly, the claim is directed to the same abstract idea of select subset of data from among a list of data using any type of rule/criteria. As drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components.

Regarding claim 16, the claim recites, “wherein the one or more processors are further configured to determine a count of a number of log messages in a given cluster” step which merely expands on the abstract concept. Accordingly, the claim is directed to the same abstract idea of select subset of data from among a list of data using any type of rule/criteria. As drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components.

Regarding claim 17, the claim recites, “wherein the one or more processors are further configured to join, based at least in part on signatures, the first set of clustered log messages and the second set of clustered log messages” step which merely expands on the abstract concept. Accordingly, the claim is directed to the same abstract idea of select subset of data from among a list of data using any type of rule/criteria. As drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components.

Regarding claim 18, the claim recites, “wherein determining the variance between the first set of status information results and the second set of status information results comprises determining at least one of a difference in a number of logs in a given cluster, a presence of a cluster in the first set of status information results but not in the second set of status information results, and a presence of a cluster in the second set of status information results but not the first set of status information results” step which merely expands on the abstract concept. Accordingly, the claim is directed to the same abstract idea of select subset of data from among a list of data using any type of rule/criteria. As drafted, is a process that, under its broadest reasonable interpretation, covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion) but for the recitation of generic computer components.

Double Patenting
The nonstatutory double patenting rejections are based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejections are appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). 
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP §§ 706.02(1)(1) - 706.02(1)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA '25, or PTO/AIA '26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to 
http://www.uspto.gov/patents/process/fil e/efs/g uid ance/e TD-info-1.jsp. 

Claims 1-20 non-provisionally rejected on the ground of non-statutory double patenting as being unpatentable over claims 1-14 of US. Patent No. 11188619.  This is a non-provisional nonstatutory double patenting rejection.
Although the conflicting claims are not identical, they are not patentably distinct from each other because all the claimed limitations recited in the instant application are found in the US. Patent No. 11188619. 

Instant Application No. 17383066
US. Patent No. 11188619
1. A system, comprising:
one or more processors configured to:
receive, from a user, a user query for status information collected from one or more monitored devices;
in response to receiving, via a user interface, a user input comprising an indication from the user to determine a variance between different portions of the collected status information, generate, from the user query, a first query and a second query;
receive a first set of status information results and a second set of status information results in response to performing, respectively, the first query and the second query against data in a data store including the status information collected from the one or more monitored devices; and
determine a variance between the first set of status information results and the second set of status information results; and
a memory coupled to the one or more processors and configured to provide the one or more processors with instructions. 
1. A system, comprising:
one or more processors configured to:
receive, from a user, a user query for status information collected from one or more monitored devices;
in response to receiving, via a user interface, a user interaction with a user interface element comprising an indication from the user to determine a variance between different portions of the collected status information, rewrite the user query at least in part by adding at least one of a comparison operator or a time shift operator to the user query;
based at least in part on addition of the at least one of the comparison operator or the time shift operator to the user query, generate a first query and a second query, wherein the first query and the second query comprise modified versions of the user query;
receive a first set of status information results and a second set of status information results in response to performing, respectively, the first query and the second query against data in a data store including the status information collected from the one or more monitored devices; and
provide, via the user interface, output indicative of a variance between the first and second sets of status information results; and
a memory coupled to the one or more processors and configured to provide the one or more processors with instructions.
2. The system of claim 1, wherein the user input comprises a selection of a user interface element.
See claim 1. 
3. The system of claim 1 wherein the status information collected from the one or monitored devices includes at least one of log messages and metrics.
2. The system of claim 1 wherein the status information collected from the one or monitored devices includes at least one of log messages and metrics.
4. The system of claim 1, wherein the first and second sets of status information results are divided based at least in part on at least one of a spatial characteristic and a temporal characteristic.
3. The system of claim 1, wherein the first and second sets of status information results are divided based at least in part on at least one of a spatial and a temporal characteristic.
5. The system of claim 4, wherein the at least one of the spatial characteristic and the temporal characteristic comprises at least one of a time window, a set of nodes, and a cohort of users.
4. The system of claim 3, wherein the at least one of the spatial and the temporal characteristic comprises at least one of a time window, a set of nodes, and a cohort of users.
6. The system of claim 4, wherein the at least one of the spatial characteristic and the temporal characteristic is selected by default or selected by the user.
5. The system of claim 3, wherein the at least one of the spatial and the temporal characteristic is selected by default or selected by the user.
7. The system of claim 1, wherein generating the first query and the second query comprises rewriting the user query to include a set of operator components.
See claim 1.
8. The system of claim 7, wherein the set of operator components includes a time shift operator component.
See claim 1.
9. The system of claim 1, wherein the first and second sets of status information results comprise tables, and wherein the one or more processors are further configured to join the first and second sets of status information results on a key column.
6. The system of claim 1, wherein the first and second sets of status information results comprise tables, and wherein the one or more processors are further configured to join the first and second sets of status information results on a key column.
10. The system of claim 1, wherein the first and second queries generated from the user query comprise a same query associated with different time ranges.
7. The system of claim 1, wherein the first and second queries comprise a same query associated with different time ranges.
11. The system of claim 1, wherein the first and second queries generated from the user query comprise different queries associated with a same time range.
8. The system of claim 1, wherein the first and second queries comprise different queries associated with a same time range.
12. The system of claim 1, wherein the first and second queries generated from the user query comprise different queries associated with different time ranges.
9. The system of claim 1, wherein the first and second queries comprise different queries associated with different time ranges.
13. The system of claim 1, wherein the user query comprises a query for log messages, and is wherein the user input comprises an indication to compare a first group of log messages against a second group of log messages.
10. The system of claim 1, wherein the user query comprises a query for log messages, and wherein the user interaction comprises an indication to compare a first group of log messages against a second group of log messages.
14. The system of claim 13, wherein the first and second sets of status information results comprise first and second sets of log messages.
11. The system of claim 10, wherein the first and second sets of status information results comprise first and second sets of log messages.
15. The system of claim 14, wherein the one or more processors are further configured to cluster the first set of log messages and to cluster the second set of log messages, and wherein a cluster is associated with a corresponding signature comprising a template for log messages included in the cluster.
12. The system of claim 11, wherein the one or more processors are further configured to cluster the first set of log messages and to cluster the second set of log messages, and wherein a cluster is associated with a corresponding signature comprising a template for log messages included in the cluster.
16. The system of claim 15, wherein the one or more processors are further configured to determine a count of a number of log messages in a given cluster.
13. The system of claim 12, wherein the one or more processors are further configured to determine a count of a number of log messages in a given cluster.
17. The system of claim 16, wherein the one or more processors are further configured to join, based at least in part on signatures, the first set of clustered log messages and the second set of clustered log messages.
14. The system of claim 13, wherein the one or more processors are further configured to join, based at least in part on signatures, the first set of clustered log messages and the second set of clustered log messages.
18. The system of claim 17, wherein determining the variance between the first set of status information results and the second set of status information results comprises determining at least one of a difference in a number of logs in a given cluster, a presence of a cluster in the first set of status information results but not in the second set of status information results, and a s presence of a cluster in the second set of status information results but not the first set of status information results.
15. The system of claim 14, wherein the variance between the first and second sets of status information results comprises at least one of a difference in a number of logs in a given cluster, a presence of a cluster in the first set of status information results but not in the second set of status information results, and a presence of a cluster in the second set of status information results but not the first set of status information results.

 
Claims 19-20 rejected under the same rationale as claim 1.


Claim Rejections - 35 USC § 103
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: 
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-6, 9, and 13-20 are rejected under 35 U.S.C. 103 as being unpatentable over Seward et al., U.S. Patent No: US 11196756  A1 (Hereinafter “Seward”) in view of Nakamura et al., U.S. Pub No: US 20080263105  A1 (Hereinafter “Nakamura”).

Regarding claim 1, Seward discloses A system, comprising: one or more processors configured to: 
receive, from a user, a user query for status information collected from one or more monitored devices (Seward, see col.17 line [6-38], wherein the events (status information) may be identified by executing a query for events including the particular field of interest. A set of events may be derived from data collected from one or more data sources within an enterprise network environment);
 in response to receiving, via a user interface, a user input comprising an indication from the user (Seward, see col.17 line [6-67], wherein a search head may receive a query for events including a value of a specified field (e.g., “IP,” “IPDEST,” or “DEST”, as described above). The query may be based on, for example, a correlation search or any input received from a user via a GUI or other interface of a client application executable at the user's device), generate, from the user query, a first query and a second query (Seward, see col.17 line [6-38], wherein the search head can receive a query that was inputted by a user, than the search head can distributing the search process amongst the various indexers, which corresponds to generate, from the user query, a first query and a second query); 
receive a first set of status information results and a second set of status information results in response to performing, respectively, the first query and the second query against data in a data store including the status information collected from the one or more monitored devices (Seward, see col.17 line [6-38], distributing the search process amongst the various indexers, e.g., which may be able to search for events responsive to a query in parallel, the search head can utilize the indexers to execute the query and obtain query results in a shorter amount of time. It should be noted that the indexers might use any conventional or proprietary search technique for executing the query. Also, as each indexer may store only a portion of the entire set of events and thus, produce only a partial set of search results in response to the query, the search head may be configured to combine the partial results from each indexer in order to form a complete or final set of search results in response to the query); and 
a memory coupled to the one or more processors and configured to provide the one or more processors with instructions (Seward, see col.27 line [19-34]).  
Seward fails to explicitly disclose the limitation below.
Nakamura discloses determine a variance between the first set of status information results and the second set of status information results (see fig.8, wherein fig.8 shows variance and comparison between data logs. See also paragraph [0082], wherein “graph 602 indicating a relation of a time stamp difference between the time and the log, an example of using the discordance history table 130 will be described. In this graph 602, a time stamp difference between the logs 1 and 2 calculated by the consistency check unit 123 is plotted. In the drawing, an abscissa indicates time, while an ordinate indicates a time difference obtained by subtracting the time stamp of the log 1 from that of the log 2. As shown in this example, the time stamp difference is not necessarily constant, and it may vary due to a time lag in the computer 101 or execution of time correction amount”).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the system of Seward to include the missing limitations, as taught by Nakamura, since doing so would allow the system to prevent discontinuity of the time stamps when time correction is carried out in the computer, or a phantom emerging in a statistical index due to time stamp shifting gradually increased/decreased among the plurality of logs (Nakamura; paragraphs [0028]).
 
Regarding claim 2, Seward in view of Nakamura further discloses wherein the user input comprises a selection of a user interface element (Seward, see col.16 line [35-54], wherein he field selected by the user may be extracted from the events at search time, e.g., at the time a query including one or more search commands (e.g., in a search pipeline) is executed for a late-binding schema, as described above and as will be described in further detail below. Such a search-time field extraction may be based on, for example, a field definition or configuration specified by the user via an interactive field extraction functionality accessible through the GUI, through regular expressions included within a configuration file accessible to the data intake and query system, or through a search command provided as part of the query itself. In some implementations, the user may specify the field via an input control element provided by the GUI, e.g., by selecting a desired field from a list of fields extracted from the events and prepopulated within a menu, dropdown window, or other type of control element for field selection, as provided by the GUI for a particular implementation. The list of fields may also include, for example, any default fields and/or user-defined fields that have been defined for the events).  

Regarding claim 3, Seward in view of Nakamura further discloses wherein the status information collected from the one or monitored devices includes at least one of log messages and metrics (Seward, see col.16 line [35-54], wherein the types of data generated by such data sources may be in various forms including, for example and without limitation, server log files, activity log files, configuration files, messages, network packet data, performance measurements or metrics, and/or sensor measurements).  

Regarding claim 4, Seward in view of Nakamura further discloses wherein the first and second sets of status information results are divided based at least in part on at least one of a spatial characteristic and a temporal characteristic (Seward, see col.16 line [35-54], wherein a visualization system of the enterprise network environment may provide various GUIs enabling the user to initiate different queries and receive a representation of a subset of events occurring within a time range of interest (temporal characteristic) and having a field of interest (spatial characteristic)).  

Regarding claim 5, Seward in view of Nakamura further discloses wherein the at least one of the spatial characteristic and the temporal characteristic comprises at least one of a time window, a set of nodes, and a cohort of users (Seward, see col.16 line [35-54], wherein a visualization system of the enterprise network environment may provide various GUIs enabling the user to initiate different queries and receive a representation of a subset of events occurring within a time range of interest (time widow) and having a field of interest (spatial characteristic)).  

Regarding claim 6, Seward in view of Nakamura further discloses wherein the at least one of the spatial characteristic and the temporal characteristic is selected by default or selected by the user (Seward, see col.16 line [35-54], wherein the field selected by the user may be extracted from the events at search time, e.g., at the time a query including one or more search commands (e.g., in a search pipeline) is executed for a late-binding schema, as described above and as will be described in further detail below. Such a search-time field extraction may be based on, for example, a field definition or configuration specified by the user via an interactive field extraction functionality accessible through the GUI, through regular expressions included within a configuration file accessible to the data intake and query system, or through a search command provided as part of the query itself. In some implementations, the user may specify the field via an input control element provided by the GUI, e.g., by selecting a desired field from a list of fields extracted from the events and prepopulated within a menu, dropdown window, or other type of control element for field selection, as provided by the GUI for a particular implementation. The list of fields may also include, for example, any default fields and/or user-defined fields that have been defined for the events).  

Regarding claim 9, Seward in view of Nakamura further discloses wherein the first and second sets of status information results comprise tables (Seward, see fig.7, wherein events/logs in a table), and wherein the one or more processors are further configured to join the first and second sets of status information results on a key column (Seward, see col.17 line [6-67], the search head may be configured to combine the partial results from each indexer in order to form a complete or final set of search results in response to the query). 
 

Regarding claim 13, Seward in view of Nakamura further discloses wherein the user query comprises a query for log messages (Seward, see col.16 line [35-54], wherein the types of data generated by such data sources may be in various forms including, for example and without limitation, server log files, activity log files, configuration files, messages, network packet data, performance measurements or metrics, and/or sensor measurements), and wherein the user input comprises an indication to compare a first group of log messages against a second group of log messages (Seward, see col.11 line [31-40], the present disclosure may involve comparing any network data, network traffic, database data, or any other information (first group) to a deduplicated list (second group)).  

Regarding claim 14, Seward in view of Nakamura further discloses wherein the first and second sets of status information results comprise first and second sets of log messages (Seward, see col.16 line [35-54], wherein the types of data generated by such data sources may be in various forms including, for example and without limitation, server log files, activity log files, configuration files, messages, network packet data, performance measurements or metrics, and/or sensor measurements.  

Regarding claim 15, Seward in view of Nakamura further discloses wherein the one or more processors are further configured to cluster the first set of log messages and to cluster the second set of log messages (Seward, see col.9 line [1-10], wherein The events identified based on the security information may be grouped together based on one or more fields in each of the events satisfying a criteria for a group of security-related events. The criteria may be defined based on one or more fields that contain information indicative of a potential security threat. A group of security-related events that include these fields may be useful for identifying a source of such malicious activity. Thus, groups of security-related events may indicate a relationship of events that are related to a type of security issue), and wherein a cluster is associated with a corresponding signature comprising a template for log messages included in the cluster (Seward, see col.22 line [12-26], wherein A group of events defined by a particular criteria may be useful for identifying patterns (template) of events that occur in a similar manner or that are related in some way suggesting a potential security threat).  

Regarding claim 16, Seward in view of Nakamura further discloses wherein the one or more processors are further configured to determine a count of a number of log messages in a given cluster (Seward, see col.26 line [1-16], wherein a feature of counting events is disclosed).  

Regarding claim 17, Seward in view of Nakamura further discloses wherein the one or more processors are further configured to join, based at least in part on signatures, the first set of clustered log messages and the second set of clustered log messages (Seward, see col.22 line [12-26], wherein A group of events defined by a particular criteria may be useful for identifying patterns (signatures) of events that occur in a similar manner or that are related in some way suggesting a potential security threat).
  
Regarding claim 18, Seward fails to teach the below limitations. 
Nakamura discloses wherein determining the variance between the first set of status information results and the second set of status information results comprises determining at least one of a difference in a number of logs in a given cluster, a presence of a cluster in the first set of status information results but not in the second set of status information results, and a presence of a cluster in the second set of status information results but not the first set of status information results (Nakamura, see fig.8, wherein fig.8 shows variance and comparison between data logs. For example log 1 (first set) and log 2 (second set) shows different values of offset as showing in item 713. Therefore, the value appears in log 1 is not the same value appears in the log 2). Motivation from claim 1 is applied.


Claims 19-20 are method and computer program product and rejected under the same rationale and motivation as claim 1.

Claims 7-8 and 10-12 are rejected under 35 U.S.C. 103 as being unpatentable over Seward et al., U.S. Patent No: US 11196756  A1 (Hereinafter “Seward”) in view of Nakamura et al., U.S. Pub No: US 20080263105  A1 (Hereinafter “Nakamura”) and further in view of ROBICHAUD et al., U.S. Pub No: US 20160225271 A1 (Hereinafter “ROBICHAUD”) .

Regarding claim 7, Seward in view of Nakamura fail to explicitly disclose the limitation below.
ROBICHAUD discloses wherein generating the first query and the second query comprises rewriting the user query to include a set of operator components (ROBICHAUD, paragraph [0102], wherein upon receiving search query 501, search head 104 modifies search query 501 by substituting “stats” with “prestats” to produce search query 502).  

Regarding claim 8, Seward in view of Nakamura fail to explicitly disclose the limitation below.
ROBICHAUD discloses wherein the set of operator components includes a time shift operator component (ROBICHAUD, paragraph [0095], wherein user input in the form of a search string. It also includes a time range picker 612 that enables the user to specify a time range for the search.).  same motivation from claim 7 is applied.

Regarding claim 10, Seward in view of Nakamura fail to explicitly disclose the limitation below.
ROBICHAUD discloses wherein the first and second queries generated from the user query comprise a same query associated with different time ranges (ROBICHAUD, paragraph [0102], search head 104 modifies search query to generate queries or requests for events in one or more distributed indexers. Therefore, since a query can contain time range as disclosed in paragraph [0095], the search head can generated same/different queries with same/different time ranges in order to request for event in the distributed indexers).  
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the system of Seward in view of Nakamura to include the missing limitation, as taught by ROBICHAUD, because the system would improve search results and user experience (ROBICHAUD; paragraphs [0003]).
 

Regarding claim 11, Seward in view of Nakamura fail to explicitly disclose the limitation below.
ROBICHAUD discloses wherein the first and second queries generated from the user query comprise different queries associated with a same time range (ROBICHAUD, paragraph [0102], search head 104 modifies search query to generate queries or requests for events in one or more distributed indexers. Therefore, since a query can in contain time range as disclosed in paragraph [0095], the search head can generate same/different queries with same/different time ranges in order to request for event in the distributed indexers).  
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the system of Seward in view of Nakamura to include the missing limitation, as taught by ROBICHAUD, because the system would improve search results and user experience (ROBICHAUD; paragraphs [0003]).

Regarding claim 12, Seward in view of Nakamura fail to explicitly disclose the limitation below.
ROBICHAUD discloses wherein the first and second queries generated from the user query comprise different queries associated with different time ranges (ROBICHAUD, paragraph [0102], search head 104 modifies search query to generate queries or requests for events in one or more distributed indexers. Therefore, since a query can in contain time range as disclosed in paragraph [0095], the search head can generated same/different queries with same/different time ranges in order to request for event in the distributed indexers).  
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the system of Seward in view of Nakamura to include the missing limitation, as taught by ROBICHAUD, because the system would improve search results and user experience (ROBICHAUD; paragraphs [0003]).


Conclusion
Related Art:
Miura (US 9953094 B2) discloses a matching method includes: accumulating log information indicating histories of operations performed on devices by users; receiving a request for information regarding use of a first device from an information requester being one of the users and using the first device; analyzing log information of the first device from among the log information accumulated in the accumulating; identifying, as an information provider candidate, at least one of the users using a second device by using the log information of the first device analyzed in the analyzing and log information of the second device being of the same type as the first device; notifying the information provider candidate of the request from the information requester; and notifying the information requester of provided information which is information regarding use of the first device and provided by the information provider candidate in response to the request. 
WATANABE (US 20080103853 A2) discloses a use status grasping portion that extracts transition data showing variations in degree of use of a site from log data; a variation data generating portion that generates, based on the transition data, variation data expressing the variations in degree of use of the site as a group Y of values showing the degree of use of the site; a time factor data recording portion in which a plurality of time factors and time factor values of each of the plurality of time factors are recorded; a time factor extracting portion that generates groups D.sub.i of time factor values, each of which corresponds to a time factor extracted from among the plurality of time factors; and a time factor feature generating portion 13 that calculates coefficients a.sub.i such that a square of an error b has a minimum value in an equation in which the groups D.sub.i and the group Y are used as an explaining variable and an explained variable, respectively, thereby to generate data showing a time factor feature of a use status of the site. By this configuration, the time factor feature generation system generates data quantitatively showing a time factor feature of a use status of a site. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHER N ALGIBHAH whose telephone number is (571)272-0718.  The examiner can normally be reached on Monday-Thursday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Aleksandr Kerzhner can be reached on (571) 270-1760.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-1264.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MAHER N ALGIBHAH/Examiner, Art Unit 2165