DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
No information disclosure statement(s) (IDS) was filed before the mailing date of this office action.  Accordingly, no information disclosure statement is being considered by the examiner. 
Claim Objections
Claims 1, 3, 4 and 13 objected to because of the following informalities:  
Claim 1, line 2, “a processor perform the method” should read “a processor performs a method”. 
Claim 3, lines 1-2, “one on more” should read “one or more”.
Claim 4, line 2, “closed, LANs,” should read “closed LANs,”.
Claim 13, line 23, “configure to” should read “configured to”
Appropriate correction is required.
Claim Rejections - 35 USC § 112
Claims 2-11, 13, 14-20 and 21-23 are rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which they depend, or for failing to include all the limitations of the claim upon which they depend.  
Claims 2-11 and 13 are method claims, but are dependent on claim 1 which is a non-transitory computer readable medium claim. 
Claims 14-20 are system claims, but are dependent on claim 13 which is a method claim and is dependent on claim 1which is a non-transitory computer readable medium claim. 
Claims 21-23 are system claims, but are dependent on claim 1 which is a non-transitory computer readable medium claim. 
Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.
Under claim 13, line 11 starts a system claim, which is not numbered, and goes through line 29 with limitations. Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.
To simplify the execution of this first office action, examiner assumes the following:
Claim 13 is renumbered as claim 12.
The not numbered system claim is written in independent form and numbered as claim 13.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3 and 13-15 are rejected under 35 U.S.C. 103 as being unpatentable US-PGPUB No. 2016/0226731 A1 to Maroulis and further in view of US-PGPUB No. 2020/0097585 A1 to Laskawiec et al. (hereinafter “Laskawiec”)
Regarding claim 1:
Maroulis discloses:
A non-transitory computer readable medium comprising instructions (Maroulis, ¶210: “… a non-transitory computer-readable storage medium, storing software instructions …”), which when executed by a processor (¶210: “… which when executed by one or more processors …”) perform the method (¶210: “… cause performance of any of the foregoing methods.”), the method comprising: 
receiving a plurality of data event records (¶126: “… obtain a superset of the eventual results.”) wherein each data event record identifies a monitored element (¶95: “… mobile devices and sensors …”) (¶95: “… components which may generate machine data from which events may be derived include, but are not limited to, web servers, application servers, databases, firewalls, routers, operating systems, and software applications that execute on computer systems, mobile devices, and sensors. The data generated by such data sources can include, for example and without limitation, server log files, activity log files, configuration files, messages, network packet data, performance measurements, and sensor measurements.”) within a monitored domain (¶101: “… System 108 …) that is connected to one or more computer interception devices (¶130: “… a field extractor 512 …”, see Fig. 5); 
extracting from the plurality of data event records an auxiliary subset (Maroulis, ¶126: “… a reduced set …”) (Maroulis, ¶126: “… during a filtering stage, the search head can perform field-extraction operations on the superset to produce a reduced set of search results.”) based upon a first user defined ruleset (Maroulis, ¶131: “… extraction rule 508 …”) (Maroulis, ¶131: “… field extractor 512 applies extraction rule 508 for the first command “Search IP= “10*” to events in data store 514 including events 516-518.”, ¶98: “… a user may manually define extraction rules for fields using a variety of techniques.”); 
extracting from the plurality of data event records an operational subset (Maroulis, ¶132: “Extraction rule 509 is used to extract values for the target field for events 516-517”) based upon a second user defined ruleset (Maroulis, ¶132: “…extraction rule 509 …”); 
transmitting the auxiliary subset and the operational subset to a central server (Maroulis, ¶177: “… a data intake and query system 108 …”) (Maroulis, ¶177: “… a monitoring component 112 of a client application 110 may send the performance data to a forwarder 204 of a data intake and query system 108 via one or more networks 104.”, ¶169-170: “… one or more of the components of a data intake and query system instead may be provided as a cloud-based service. … a cloud-based data intake and query system 906 …”, see Fig. 9); 
at the central server programing a processor (Maroulis, ¶177: “… a forwarder 204 …”) to perform the following steps: 
utilizing data mining techniques (Maroulis, ¶165: “… node-expansion operations …”) deducing an auxiliary operational logic state tree based upon the auxiliary subset (¶17: “FIG. 8C illustrates a proactive monitoring tree in accordance with the disclosed embodiments;”, ¶165: “… nodes … can be displayed using different patterns or colors to represent different performance states”); 
wherein a transition state of the monitored domain is determined (Maroulis, ¶165: “… nodes 831-839 can be displayed using different patterns or colors to represent different performance states, such as a critical state, a warning state, a normal state or an unknown/offline state.”); and 
determining whether to issue a fault within the monitored domain based upon the transition state (Maroulis, ¶165: “The ease of navigation provided by selective expansion in combination with the associated performance-state information enables a user to quickly diagnose the root cause of a performance problem.”).
However, Maroulis does not explicitly disclose the following limitations taught by Laskawiec: 
generating an operational state logic tree based upon the operational subset (Laskawiec, ¶04: “… generates, based on a modification to the initial dataset to produce a modified dataset, a hash tree for the modified dataset using computed hashes of records of the modified dataset …”); 
comparing the auxiliary operational logic state tree against the operational state logic tree (Laskawiec, ¶04: “…  compares the hash tree for the initial dataset to the hash tree for the modified dataset, and identifies, based on the comparing, one or more blocks of the modified dataset that are updated compared to the initial dataset.”)  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings Maroulis to incorporate the functionality of the process to generate a hash tree, based on a modification to the initial dataset to produce a modified dataset, for the modified dataset using computed hashes of records of the modified dataset, and comparing the hash tree of  the initial dataset to the hash tree for the modified dataset, as disclosed by Laskawiec, such modification would allow the system to determine a transition state of the monitored domain by comparing the two hash values and to take appropriate action depending on the transition state.
 Regarding claim 2:
The combination of Maroulis and Laskawiec discloses:
The method of claim one wherein the monitored domain is a distributed domain of interconnected systems spanning multiple geographical locations (Laskawiec, ¶69: “There is a sense of location independence in that the consumer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter).”).  
The same motivation which is applied to claim 1 applies to claim 2.
Regarding claim 3:
The combination of Maroulis and Laskawiec discloses:
The method of claim 2 wherein the distributed domain further comprises one on more interconnected computer networks (Laskawiec, ¶82: “Nodes 10 may communicate with one another. They may be grouped … physically or virtually, in one or more networks, such as Private, Community, Public, or Hybrid clouds … or a combination thereof.”, see Fig. 8 for interconnected computer networks.).   
The same motivation which is applied to claim 1 applies to claim 3.
Regarding claims 13-15:
Claims 13, 14 and 15 substantially recite the same limitations as claims 1, 3 and 2, respectively, in the form of a system realizing the corresponding method, therefore they are rejected by the same rationale.
Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Maroulis, Laskawiec, and further in view of US-PGPUB No. 2008/0052606 A1 to Alstrup et al. (hereinafter “Alstrup”)
Regarding claim 4:
The combination of Maroulis and Laskawiec discloses the method of claim 3, but does not disclose the following limitation taught by Alstrup: 
 wherein the one or more interconnected computer networks is selected from the group consisted of open LANs, closed, LANs, open WANs, closed WANs or a combination thereof (Alstrup, ¶115: “The network … may be any kind of network whether closed or open to public connections, e.g. local area networks (LAN), wide area networks (WAN).”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings the combination of Maroulis and Laskawiec to incorporate the teachings of using closed or open public connections such as local area networks (LANs) and wide area networks (WANs) or a combination thereof, as disclosed by Alstrup, such modification would allow the system to establish different types network connections between networked components depending on the security level of the data to be transmitted.
Claims 5, 7, 16 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Maroulis, Laskawiec, and further in view of USPAT No. 10,673,880 B1 to Pratt et al. (hereinafter “Pratt”)
Regarding claim 5: 
The combination of Maroulis and Laskawiec discloses the method of claim 1, but fails to disclose the following limitation taught by Pratt: 
 further comprising tokenizing the auxiliary subset (Pratt, col 29, lines 58-60: “… the parser can tokenize the event data into a number of tokens for further processing.”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings the combination of Maroulis and Laskawiec to incorporate the functionality of the security platform to implement a parser/tokenizer to tokenize an event data, as disclosed by Pratt, such modification would allow the system to gain the expected results of tokenization such as risk reduction from data breaches and protecting sensitive private information.
Regarding claim 7:
The combination of Maroulis and Laskawiec discloses the method of claim 1, but fails to disclose the following limitation taught by Pratt: 
further comprising tokenizing the operational subset (Pratt, col 29, lines 58-60: “… the parser can tokenize the event data into a number of tokens for further processing.”).
The same motivation which is applied to claim 5 applies to claim 7. 
Regarding claims 16 and 18:
Claims 16 and 18 substantially recite the same limitations as claims 5 and 7, respectively, in the form of a system realizing the corresponding method, therefore they are rejected by the same rationale.
Claims 6, 8, 17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Maroulis, Laskawiec, and further in view of USPAT No. 9,977,807 B1 to Bowman et al. (hereinafter “Bowman”)
Regarding claim 6:
The combination of Maroulis and Laskawiec discloses the method of claim 1, but fails to disclose the following limitation taught by Bowman: 
further comprising compressing the auxiliary subset (Bowman, col 74, lines 4-7: “…  the collection component 2341 may incorporate a compression engine, and the processor 2350 may be caused thereby to compress each data cell 2130 generated within the node device 2300.”).   
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings the combination of Maroulis and Laskawiec to incorporate the functionality of the collection component to incorporate a compression engine to compress data, as disclosed by Bowman, such modification would allow the system to provide the expected results of data compression such as reductions in storage hardware, data transmission time, and communication bandwidth.
Regarding claim 8:
The combination of Maroulis and Laskawiec discloses the method of claim 1, but fails to disclose the following limitation taught by Bowman: 
further comprising compressing the operational subset (Bowman, col 74, lines 4-7: “…  the collection component 2341 may incorporate a compression engine, and the processor 2350 may be caused thereby to compress each data cell 2130 generated within the node device 2300.”).  
The same motivation which is applied to claim 6 applies to claim 8.
Regarding claims 17 and 19:
Claims 17 and 19 substantially recite the same limitations as claims 6 and 8, respectively, in the form of a system realizing the corresponding method, therefore they are rejected by the same rationale.
Claims 9-11 and 20-22 are rejected under 35 U.S.C. 103 as being unpatentable over Maroulis, Laskawiec, and further in view of USPAT No. 10,977,222 B1 to Esman et al. (hereinafter “Esman”)
Regarding claim 9:
The combination of Maroulis and Laskawiec discloses the method of claim 1, but fails to disclose the following limitation taught by Esman: 
further comprising in real-time response to a control message from the central server, programming the one or more interception devices to automatically altering the first user defined ruleset (Esman, col 43, lines 23-28: “…  automatically update one or more event generation rules, for example, to modify one or more field extraction rules if a detected field name change is detected, or to add or remove one or more field extraction rules if particular fields in the source data is added or removed.”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings the combination of Maroulis and Laskawiec to incorporate the functionality of the data intake and query system to modify extraction rules if a detected field name change is detected, or to add or remove one or more field extraction rules if particular fields in the source data is added or removed, as disclosed by Esman, such modification would allow the system to monitor data consistency by taking appropriate action in response to identification of a schema change.
Regarding claim 10:
The combination of Maroulis and Laskawiec discloses the method of claim 1, but fails to disclose the following limitation taught by Esman:  
further comprising in real-time response to a control message from the central server, programming the one or more interception devices to automatically altering the second user defined ruleset (Esman, col 43, lines 23-28: “…  automatically update one or more event generation rules, for example, to modify one or more field extraction rules if a detected field name change is detected, or to add or remove one or more field extraction rules if particular fields in the source data is added or removed.”).  
The same motivation which is applied to claim applies to claim 10.
Regarding claim 11:
The combination of Maroulis and Laskawiec discloses the method of claim 1, but fails to disclose the following limitation taught by Esman:  
further comprising in real-time response to a control message from the central server, programming the one or more interception devices to automatically increasing or decreasing an amount traffic from the monitored domain (Esman, col 18, lines 39-46: “… a schema consistency monitor may be configured to monitor all available data sources and data source types for schema changes unless a user provides input indicating that monitoring for one or more data sources or data source types is not desired, or may be configured to automatically monitor selected data sources or data source types based on attributes associated with those data sources or data source types.”).  
The same motivation which is applied to claim 9 applies to claim 11.
Regarding claims 20-22:
Claims 20-22 substantially recite the same limitations as claims 9-11, respectively, in the form of a system realizing the corresponding method, therefore they are rejected by the same rationale.
Allowable Subject Matter
Claims 12 and 23 objected to as being dependent on a rejected claim independent claim 1, but would be allowable if rewritten in independent form including all the limitations of the base claim and any intervening claims.
The following is the examiner’s statement of reasons for allowance:
With respect to claim 12, Maroulis in view of Laskawiec fails to disclose the comparing at the central server generating an auxiliary state logic database based upon the auxiliary subset, generating an operational state logic database based upon the operational subset, then comparing the auxiliary state logic database with the operational state logic database to generate a first mismatch logic state and comparing the operational state logic database with an expected state logic database to generate a second mismatch logic state followed by comparing the auxiliary state logic database with the expected state logic database to generate a third mismatch logic state and determining a state fault within the operational domain by reconciliation between the first mismatch logic state, the second mismatch logic state and the third mismatch logic state.
Claim 23 substantially recites the same limitations as claim 12, in the form of a system, therefore the same examiner’s reasoning for allowance, as claim 12, applies to claim 23.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Hwang et al. (USPAT No. 11,336,431-B2)- disclosed a verification system and method for cooperating with a blockchain and off-chain devices is provided. The system includes a security protocol device, a blockchain device, and a database device. The security protocol device receives and integrates the record data into a binary tree according to a hash function. Hash values of the record data are stored in the leaf nodes. The blockchain device is at the blockchain and communicates with the security protocol device. The security protocol device transmits the root hash to the blockchain device. The database device communicates with the security protocol device in an off-chain manner. The security protocol device stores the binary tree to the database device. The security protocol device compares the root hash from the blockchain device with the root hash of the binary tree stored in the database device to verify the correctness of the binary tree stored in the database device.
Honig et al. (USPAT No 7,225,343 B1)- disclosed a system and methods for detecting intrusions in the operation of a computer system comprises a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format. A data warehouse is configured to receive the data record from the sensor in the predetermined data format and to store the data in a database. A detection model generator is configured to request data records from the data warehouse in the predetermined data format, to generate an intrusion detection model based on said data record.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491
/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491