SYSTEMS AND METHODS FOR MACHINE LEARNING ASSISTED SYSLOG PARSER GENERATORS

§101 §103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In response to Applicant’s claims filed on November 05, 2025, claims 1-20 are now pending for examination in the application. Response to Arguments This office action is in response to amendment filed 11/05/2025. In this action claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree et al. (US Pub. No. 20220224723) and King et al. (US Pub. No. 20230229540) and Apger et al. (US Pub. No. 20230139000) in further view of Kaimal et al. (US Pub. No. 20230123781). The Crabtree et al. reference has been added to address the amendment of process the log file to identify one or more name-value-pairs representing data associated with a cybersecurity threat event occurring at or detected by an affected device from the plurality of data elements. Applicant’s arguments: In regards to claim 1 on Pages 10, applicant argues “In Example 1, "the invention claimed here is directed towards performing isolation and eradication of computer viruses, worms, and other malicious code, a concept inextricably tied to computer technology and distinct from the types of concepts found by the courts to be abstract." Likewise, the present claims, as amended, are directed towards detecting, identifying, and evaluating cybersecurity threats. The present claims are thus also "inextricably tied to computer technology" and should not be considered to recite an abstract idea,” as recited in claim 1. Examiner’s Reply: The claims have been evaluated as a whole and when considered in their entirety they still amount to determining how to parse log file data for threat analysis. The additional model training using do not add meaningful limitations beyond the abstract idea. Applicant’s arguments: In regards to claim 1 on Pages 12, applicant argues “These features tie the claims to operating in the context of cybersecurity threats and tie the claims to using a compiler in a way that effectively identifies and evaluates cybersecurity threats. Moreover, the parser is generated using a particular algorithm that corresponds to the schema, improving the ability of various implementations to generate a useful and relevant parser and improves the functioning of the underlying technology,” as recited in claim 1. Examiner’s Reply: Parsing log files is not a technological improvement. The claims merely determine how and when to parse log file data for processing. This determination and identification of data in log files is a computer-implemented abstract mental process. Applicant’s arguments: In regards to claim 1 on Pages 13, applicant argues “These specific features are examples of features recited in the independent claims that go beyond any similar elements recognized in the art or by the courts as being well-understood, routine, or conventional, and therefore cause the claims to recite significantly more than any recognized abstract idea, mental process, or other judicial exception.,” as recited in claim 1. Examiner’s Reply: Machine learning (eg parsing syslogs) is well-understood, routine, and conventional. The additional elements merely allow a user to determine the most efficient way to train a syslog parser given a certain amount of processing resources. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claim(s) 2-3, 7, 11-12, and 16 and is/are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim 2 and 11 contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. There is no support for “adding code to the initial parser, removing code from the initial parser, and adjusting values of the first name-value pair.” Dependent claims 3, 7, 12, and 16 is/are also rejected for inheriting the deficiencies of the independent claims from which they depend on. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-patentable subject matter. The claims are directed to an abstract idea without significantly more. Claim 1-20 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The judicial exception is not integrated into a practical application. The claims do not include additional elements that are sufficient to amount to significantly more than judicial exception. The eligibility analysis in support of these findings is provided below, on Claim Rejections - 35 USC 101 accordance with the "2019 Revised Patent Subject Matter Eligibility Guidance" (published on 1/7/2019 in Fed, Register, Vol. 84, No. 4 at pgs. 50-57, hereinafter referred to as the "2019 PEG"). Step 1. in accordance with Step 1 of the eligibility inquiry (as explained in MPEP 2106), it is first noted the method (claims 1-9), system (claims 10-18), system (claims 19-20) is/are directed to one of the eligible categories of subject matter and therefore satisfies Step 1. Step 2A. In accordance with Step 2A, prong one of the 2019 PEG, it is noted that the independent claims recite an abstract idea falling within the Mathematical Concepts and Mental Processes enumerated groupings of abstract ideas set forth in the 2019 PEG. Examiner is of the position that independent claims 1, 10, and 19 are directed towards the Mental Process Grouping of Abstract Ideas. Independent claim(s) 1 and 10 recites the following limitations directed towards a Mental Processes: process the log file to identify one or more name-value-pairs representing data associated with a cybersecurity threat event occurring at or detected by an affected device from the plurality of data elements (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to identify a name-value pair); classify the log file as being associated with a schema from a set of schemas based in part on the one or more name-value pairs (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to classify a log file); map a first name-value pair of the one or more name-value pairs to a first input field from a plurality of input fields of the schema based on characteristics of the first name- value pair (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to map a name-value pair); determine a confidence level associated with mapping the first name-value pair to the first input field (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to determine confidence); and when the confidence level for mapping the first name-value pair to the first input field exceeds a threshold, provide the first name-value pair to the first input field (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to determine confidence); generating a new parser from the plurality of input fields of the schema and the mapping using a parser algorithm associated with the schema, wherein the generated new parser includes at least part of the first name-value pair (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to generate a parser). Step 2A. In accordance with Step 2A, prong two of the 2019 PEG, the judicial exception is not integrated into a practical application because of the recitation in claim(s) 1 and 10: a non-transitory computer-readable medium (i.e., as a generic processor/component performing a generic computer function)storing computer-executable program instructions; and a processor (i.e., as a generic processor/component performing a generic computer function)communicatively coupled to the non-transitory computer-readable medium for executing the computer-executable program instructions, wherein executing the computer-executable program instructions configures the processor to perform operations comprising: receiving a log file from a user device, wherein the log file is a structured text file of a plurality of data elements (recites insignificant extra solution activity that amounts to mere data gathering); invoking one or more machine learning models (AI models (i.e., merely automate the claimed steps and are no more than mere instructions to apply the exception using generic computer components) configured to: using the new parser in a compiler to compile log files into a computer-readable format compatible with an application for identifying and evaluating cybersecurity threats from log files (recites insignificant extra solution activity that amounts to compiling data). Step 2B. Similar to the analysis under 2A Prong Two, the claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception. Because the additional elements of the independent claims amount to insignificant extra solution activity and/or mere instructions, the additional elements do not add significantly more to the judicial exception such that the independent claims as a whole would be patent eligible. Independent claim(s) 19 recites the following limitations directed towards a Mental Processes: tokenizing the plurality of name-value pairs of the log file (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to tokenize a log file); generating a distribution of tokenized name-value pairs (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to generate a distribution); classifying the log file based on the distribution of tokenized name-value pairs (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to classify a file); generating a feature vector associated with one or more tokenized name-value pairs from the plurality of name-value pairs, wherein attributes of the feature vector include one or more tokenized name-value pairs (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to generate a vector); generating a parser based on the schema (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to generate a parser). Step 2A. In accordance with Step 2A, prong two of the 2019 PEG, the judicial exception is not integrated into a practical application because of the recitation in claim(s) 19: a memory (i.e., as a generic processor/component performing a generic computer function) with instructions stored thereon; and a processing device (i.e., as a generic processor/component performing a generic computer function), coupled to the memory, the processing device configured to access the memory and execute the instructions, wherein the instructions cause the processing device to perform or control performance of operations comprising: receiving, from a first user, a log file including a plurality of name-value pairs (recites insignificant extra solution activity that amounts to mere data gathering); providing the feature vector to a plurality of decision trees to determine a confidence level associated with mapping name-value pairs of the plurality of name-value pairs to input fields of a schema, wherein when the confidence level exceeds a predetermined threshold, the processor maps one or more name-value pairs of the plurality of name-value pairs to associated input fields of the schema (recites insignificant extra solution activity that amounts to inputting data); using the new parser in a compiler to compile log files into a computer-readable format compatible with an application for identifying and evaluating cybersecurity threats from log files (recites insignificant extra solution activity that amounts to compiling data). Step 2B. Similar to the analysis under 2A Prong Two, the claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception. Because the additional elements of the independent claims amount to insignificant extra solution activity and/or mere instructions, the additional elements do not add significantly more to the judicial exception such that the independent claims as a whole would be patent eligible. Therefore, independent claims 1, 10, and 19 are rejected under 35 U.S.C. 101. With respect to claim(s) 2 and 11: Step 2A, prong one of the 2019 PEG: adding code to the initial parser, removing code from the initial parser, and adjusting values of the first name-value pair (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to manipulate code). Step 2A Prong Two Analysis: receiving an edited parser (recites insignificant extra solution activity that amounts to mere data gathering), wherein edits to obtain the edited parser from an initial parser include one or more of. Step 2B Analysis: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claim is not patent eligible. With respect to claim(s) 3 and 12: Step 2A, prong one of the 2019 PEG: parsing the second log file using the edited parser (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to parsing a file). Step 2A Prong Two Analysis: storing the edited parser in a repository of edited parsers associated with a user (recites insignificant extra solution activity that amounts to storing a parser); receiving a second log file (recites insignificant extra solution activity that amounts to data gathering). Step 2B Analysis: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claim is not patent eligible. With respect to claim(s) 4 and 13: Step 2A, prong one of the 2019 PEG: Examiner is of the position the dependent claim is directed toward additional elements. Step 2A Prong Two Analysis: wherein the log file includes one or more name-value pairs associated with: a timestamp, a product, a product version, a vendor, a user, and a severity identifier indicating a cybersecurity threat (recites insignificant extra solution activity that amounts to mere data gathering). Step 2B Analysis: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claim is not patent eligible. With respect to claim(s) 5 and 14: Step 2A, prong one of the 2019 PEG: Examiner is of the position the dependent claim is directed toward additional elements. Step 2A Prong Two Analysis: wherein at least one name-value pair of the one or more name-value pairs includes terminology indicating a type of device used to collect telemetry data, network data, or a combination thereof associated with the cybersecurity threat event, wherein the type of device is used by the one or more machine learning models to classify the log file as being associated with the schema (AI models (i.e., merely automate the claimed steps and are no more than mere instructions to apply the exception using generic computer components). Step 2B Analysis: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claim is not patent eligible. With respect to claim(s) 6 and 15: Step 2A, prong one of the 2019 PEG: Examiner is of the position the dependent claim is directed toward additional elements. Step 2A Prong Two Analysis: wherein the one or more machine learning models use one or more of a naive-bayes classifier and a random forest model to map the one or more name-value pairs to one or more input fields from the plurality of input fields of the schema (AI models (i.e., merely automate the claimed steps and are no more than mere instructions to apply the exception using generic computer components). Step 2B Analysis: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claim is not patent eligible. With respect to claim(s) 7 and 16: Step 2A, prong one of the 2019 PEG: Examiner is of the position the dependent claim is directed toward additional elements. Step 2A Prong Two Analysis: wherein the one or more machine learning models are further configured to be trained using the edited parser as intrinsic training data to improve classifying of log files and mapping of data elements to an associated schema(AI models (i.e., merely automate the claimed steps and are no more than mere instructions to apply the exception using generic computer components). Step 2B Analysis: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claim is not patent eligible. With respect to claim(s) 8 and 17: Step 2A, prong one of the 2019 PEG: wherein when the confidence level for mapping the first name-value pair to the first input field does not exceed the threshold, determine a confidence level for mapping a second name-value pair from the one or more name-value pairs to the first input field (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to determine a confidence level). Step 2A Prong Two Analysis: This judicial exception is not integrated into a practical application because there are no additional elements to provide practical application. Step 2B Analysis: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claim is not patent eligible. With respect to claim(s) 9 and 18: Step 2A, prong one of the 2019 PEG: wherein when no name-value pair of the one or more name-value pairs exceeds the threshold for mapping to the first input field, a portion of the new parser associated with the first input field of the schema is populated with a null value (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to populate a schema). Step 2A Prong Two Analysis: This judicial exception is not integrated into a practical application because there are no additional elements to provide practical application. Step 2B Analysis: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claim is not patent eligible. With respect to claim(s) 20: Step 2A, prong one of the 2019 PEG: adding code to the initial parser, removing code from the initial parser, and adjusting values of the first name-value pair (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to manipulate code) parsing the second log file using the edited parser (The limitation recites a mental process of observation and/or evaluation capable of being performed by the human mind by using computer as a tool to parsing a file). Step 2A Prong Two Analysis: receiving an edited parser (recites insignificant extra solution activity that amounts to mere data gathering), wherein edits to obtain the edited parser from an initial parser include one or more of; storing the edited parser in a repository of edited parsers associated with a user (recites insignificant extra solution activity that amounts to storing a parser); receiving a second log file (recites insignificant extra solution activity that amounts to data gathering). Step 2B Analysis: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claim is not patent eligible. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree et al. (US Pub. No. 20220224723) and King et al. (US Pub. No. 20230229540) and Apger et al. (US Pub. No. 20230139000) in further view of Kaimal et al. (US Pub. No. 20230123781). With respect to claim 1, Crabtree et al. discloses a method comprising: receiving a log file from a user device, wherein the log file is a structured text file of a plurality of data elements (Paragraph 117 discloses content of interest may be identified, for example including web and email portals, log files, backup or archive files, and other forms of sensitive information that may be contained within HTML comments or client-side scripts, as may be useful for vulnerability discovery and penetration testing activities); invoking one or more machine learning models (Paragraph 131 discloses Machine learning models 1901 may be used to identify patterns and trends in any aspect of the system, but in this case are being used to identify patterns and trends in the data which would help the data to rule mapper)) configured to: process the log file to identify one or more name-value-pairs representing data associated with a cybersecurity threat event occurring at or detected by an affected device from the plurality of data elements (Paragraph 161 discloses analysis of integrated operational technology and information technology systems may be employed to detect cybersecurity threats. In a first step, parametric analyses are run of sensors in the OT system model 2801). Crabtree et al. does not disclose determine a confidence level associated with mapping the first name-value pair to the first input field. However, King et al. teaches determine a confidence level associated with mapping the first name-value pair to the first input field (Paragraph 12 discloses examining the logs of each cluster and removing logs based upon a selected or threshold level of confidence); and when the confidence level for mapping the first name-value pair to the first input field exceeds a threshold, provide the first name-value pair to the first input field (Paragraph 12 discloses logs of each cluster and removing logs based upon a selected or threshold level of confidence of that they do not match or are and the same or substantially same type of other system log messages with a defined cluster). Therefore, it would have been obvious before the effective filing data of invention was made to a person having ordinary skill in the art to modify Crabtree et al. with King et al. This would have improved parsing log files by using machine learning. See King et al. Paragraph(s) 4-15. Crabtree et al. as modified by King et al. does not explicitly disclose classify the log file as being associated with a schema from a predefined set of schemas based in part on the one or more name-value pairs. However, Apger et al. teaches classify the log file as being associated with a schema from a predefined set of schemas based in part on the one or more name-value pairs (Paragraph 42-43 discloses server log files, activity log files, configuration files, messages, network packet data, log fileperformance measurements, sensor measurements, etc. The data intake and query system can use flexible schema to specify how to extract information from events. A flexible schema may be developed and redefined as needed); map a first name-value pair of the one or more name-value pairs to a first input field from a plurality of input fields of the schema based on characteristics of the first name- value pair (Paragraph 111 discloses fields can automatically be generated for some or all of the field names of the field name-value pairs at the time of indexing); Therefore, it would have been obvious before the effective filing data of invention was made to a person having ordinary skill in the art to modify Crabtree et al. and King et al. with Apger et al. This would have improved parsing log files by using machine learning. See Apger et al. Paragraph(s) 2-4. Crabtree et al. as modified by King et al. and Apger et al. does not disclose generating a new parser from the plurality of input fields of the schema and the mapping using a parser algorithm associated with the schema, wherein the generated new parser includes at least part of the first name-value pair. However, Kaimal et al. teaches generating a new parser from the plurality of input fields of the schema and the mapping using a parser algorithm associated with the schema, wherein the generated new parser includes at least part of the first name-value pair (Paragraph 153 discloses a parser grammar set for a security policy. A parser may be used to convert an intermediate form of a security policy into an executable form. In some embodiments, the parser may be built using the Apache Freemarker Template Engine, an open source java library capable of generating text outputs based on templates. The parser may have a grammar construct to handle different types of access rules); using the new parser in a compiler to compile log files into a computer-readable format compatible with an application for identifying and evaluating cybersecurity threats from log files (Paragraph 77 discloses threat management facility 308 may also or instead store and deploys a number of security tools such as a web-based user interface that is supported by machine learning models to aid in the identification and assessment of potential threats by a human user. This may, for example, include machine learning analysis of new code samples, models to provide human-readable context for evaluating potential threats, and any of the other tools or techniques described herein). Therefore, it would have been obvious before the effective filing data of invention was made to a person having ordinary skill in the art to modify Crabtree et al. and King et al. and Apger et al. with Kaimal et al. This would have improved parsing log files by using machine learning. See Kaimal et al. Paragraph(s) 3-9. The Crabtree et al. reference as modified by King et al. and Apger et al. and Kaimal et al. teaches all the limitations of claim 1. With respect to claim 2, King et al. teaches the method of claim 1, wherein the method further comprises: receiving an edited parser, wherein edits to obtain the edited parser from an initial parser include one or more of: adding code to the initial parser, removing code from the initial parser, and adjusting values of the first name-value pair (Paragraph 26 discloses including enabling non-developer skilled users to create parsing scripts/parsers or rules for new and/or varying syslog telemetry's). The motivation to combine statement previously provided in the rejection of independent claim 1 provided above, combining the Crabtree et al. reference and the King et al. reference is applicable to dependent claim 2. The Crabtree et al. reference as modified by King et al. and Apger et al. and Kaimal et al. teaches all the limitations of claim 2. With respect to claim 3, King et al. teaches the method of claim 2, wherein the method further comprises: storing the edited parser in a repository of edited parsers associated with a user (Paragraph 35 discloses log parsing system 202 may further be connected to a number of private and/or public databases, repositories, or other data sources); receiving a second log file (Paragraph 48 discloses various log files); and parsing the second log file using the edited parser (Paragraph 26 discloses including enabling non-developer skilled users to create parsing scripts/parsers or rules for new and/or varying syslog telemetry's). The motivation to combine statement previously provided in the rejection of independent claim 1 provided above, combining the Crabtree et al. reference and the King et al. reference is applicable to dependent claim 3. The Crabtree et al. reference as modified by King et al. and Apger et al. and Kaimal et al. teaches all the limitations of claim 1. With respect to claim 4, King et al. teaches the method of claim 1, wherein the log file includes one or more name-value pairs associated with: a timestamp, a product, a product version, a vendor, a user, and a severity identifier indicating a cybersecurity threat (Paragraph 69 disclose variable attributes may include attributes such as dates, IP addresses, user names, a time or timestamps, and/or other variable attributes). The motivation to combine statement previously provided in the rejection of independent claim 1 provided above, combining the Crabtree et al. reference and the King et al. reference is applicable to dependent claim 4. The Crabtree et al. reference as modified by King et al. and Apger et al. and Kaimal et al. teaches all the limitations of claim 1. With respect to claim 5, Crabtree et al. teaches the method of claim 1, wherein at least one name-value pair of the one or more name-value pairs includes terminology indicating a type of device used to collect telemetry data, network data, or a combination thereof associated with the cybersecurity threat event, wherein the type of device is used by the one or more machine learning models to classify the log file as being associated with the schema (Paragraph 136 discloses data may comprise any data generated by, or obtainable from, the OT and IT systems 2640, including but not limited to device telemetry data, system and device log files, connection and access activity, network events, deployed software versions, user activity information, sensor data, process control status information, etc., and may be stored in a time series data store). The Crabtree et al. reference as modified by King et al. and Apger et al. and Kaimal et al. teaches all the limitations of claim 1. With respect to claim 6, King et al. teaches the method of claim 1, wherein the one or more machine learning models use a one or more of a naive-bayes classifier and a random forest model to map the one or more name-value pairs to one or more input fields from the plurality of input fields of the schema (Paragraph 50 discloses machine learning model may include an unsupervised learning model (e.g., clustering model) and/or a supervised learning model (e.g., neural network model, a Naïve Bayes model, a linear regression model, a logistic regression model, a support vector machine, a decision tree based model, or a k-nearest). An ensemble machine learning method may include two or more of the machine learning models described above or other machine learning models as will be understood by a person skilled in the art). The motivation to combine statement previously provided in the rejection of independent claim 1 provided above, combining the Crabtree et al. reference and the King et al. reference is applicable to dependent claim 6. The Crabtree et al. reference as modified by King et al. and Apger et al. and Kaimal et al. teaches all the limitations of claim 7, Crabtree et al. teaches the method of claim 2, wherein the one or more machine learning models are further trained using the edited parser (Paragraph 141 discloses system log (syslog) information and time series data is gathered from affected devices and sent to a syslog parser 3002 which sorts the system logs and associates them i time events to create a, time series data store 3003 of the cyberattack and the network's response). The Crabtree et al. reference as modified by King et al. and Apger et al. and Kaimal et al. teaches all the limitations of claim 1. With respect to claim 8, King et al. teaches the method of claim 1, wherein when the confidence level for mapping the first name-value pair to the first input field does not exceed the threshold, determine a confidence level for mapping a second name-value pair from the one or more name-value pairs to the first input field (Paragraph 72 discloses Confidence of a relationship between two messages in a cluster may be determined based on the distance between each message in a cluster). The motivation to combine statement previously provided in the rejection of independent claim 1 provided above, combining the Crabtree et al. reference and the King et al. reference is applicable to dependent claim 8. The Crabtree et al. reference as modified by King et al. and Apger et al. and Kaimal et al. teaches all the limitations of claim 8. With respect to claim 9, King et al. teaches the method of claim 8, wherein when no name-value pairs of the one or more name-value pair exceeds the threshold for mapping to the first input field, a portion of the new parser associated with the first input field of the schema is populated with a null value (Paragraph 38 discloses variable attributes may include known values or statements that may not aid in identifying patterns or generating clusters). The motivation to combine statement previously provided in the rejection of dependent claim 8 provided above, combining the Crabtree et al. reference and the King et al. reference is applicable to dependent claim 9. With respect to claim 10, Crabtree et al. discloses a system comprising: a memory (Paragraph 29 discloses a memory of, and operating on a processor of, a computing device) with instructions stored thereon; and a processing device (Paragraph 29 discloses a memory of, and operating on a processor of, a computing device), coupled to the memory, the processing device configured to access the memory and execute the instructions, wherein the instructions cause the processing device to perform or control performance of operations comprising: receiving a log file from a user device, wherein the log file is a structured text file of a plurality of data elements (Paragraph 117 discloses content of interest may be identified, for example including web and email portals, log files, backup or archive files, and other forms of sensitive information that may be contained within HTML comments or client-side scripts, as may be useful for vulnerability discovery and penetration testing activities); invoking one or more machine learning models (Paragraph 131 discloses Machine learning models 1901 may be used to identify patterns and trends in any aspect of the system, but in this case are being used to identify patterns and trends in the data which would help the data to rule mapper)) configured to: process the log file to identify one or more name-value-pairs representing data associated with a cybersecurity threat event occurring at or detected by an affected device from the plurality of data elements (Paragraph 161 discloses analysis of integrated operational technology and information technology systems may be employed to detect cybersecurity threats. In a first step, parametric analyses are run of sensors in the OT system model 2801). Crabtree et al. does not disclose determine a confidence level associated with mapping the first name-value pair to the first input field. However, King et al. teaches determine a confidence level associated with mapping the first name-value pair to the first input field (Paragraph 12 discloses examining the logs of each cluster and removing logs based upon a selected or threshold level of confidence); and when the confidence level for mapping the first name-value pair to the first input field exceeds a threshold, provide the first name-value pair to the first input field (Paragraph 12 discloses logs of each cluster and removing logs based upon a selected or threshold level of confidence of that they do not match or are and the same or substantially same type of other system log messages with a defined cluster). Therefore, it would have been obvious before the effective filing data of invention was made to a person having ordinary skill in the art to modify Crabtree et al. with King et al. This would have improved parsing log files by using machine learning. See King et al. Paragraph(s) 4-15. Crabtree et al. as modified by King et al. does not explicitly disclose classify the log file as being associated with a schema from a predefined set of schemas based in part on the one or more name-value pairs. However, Apger et al. teaches classify the log file as being associated with a schema from a predefined set of schemas based in part on the one or more name-value pairs (Paragraph 42-43 discloses server log files, activity log files, configuration files, messages, network packet data, log fileperformance measurements, sensor measurements, etc. The data intake and query system can use flexible schema to specify how to extract information from events. A flexible schema may be developed and redefined as needed); map a first name-value pair of the one or more name-value pairs to a first input field from a plurality of input fields of the schema based on characteristics of the first name- value pair (Paragraph 111 discloses fields can automatically be generated for some or all of the field names of the field name-value pairs at the time of indexing); Therefore, it would have been obvious before the effective filing data of invention was made to a person having ordinary skill in the art to modify Crabtree et al. and King et al. with Apger et al. This would have improved parsing log files by using machine learning. See Apger et al. Paragraph(s) 2-4. Crabtree et al. as modified by King et al. and Apger et al. does not disclose generating a new parser from the plurality of input fields of the schema and the mapping using a parser algorithm associated with the schema, wherein the generated new parser includes at least part of the first name-value pair. However, Kaimal et al. teaches generating a new parser from the plurality of input fields of the schema and the mapping using a parser algorithm associated with the schema, wherein the generated new parser includes at least part of the first name-value pair (Paragraph 26 discloses parsing or normalizing unrecognized, unstructured and/or semi-structured system logs or data (hereafter “syslogs”), including enabling non-developer skilled users to create parsing scripts/parsers or rules for new and/or varying syslog telemetry's and Paragraph 153 discloses a parser grammar set for a security policy. A parser may be used to convert an intermediate form of a security policy into an executable form. In some embodiments, the parser may be built using the Apache Freemarker Template Engine, an open source java library capable of generating text outputs based on templates. The parser may have a grammar construct to handle different types of access rules); using the new parser in a compiler to compile log files into a computer-readable format compatible with an application for identifying and evaluating cybersecurity threats from log files (Paragraph 77 discloses threat management facility 308 may also or instead store and deploys a number of security tools such as a web-based user interface that is supported by machine learning models to aid in the identification and assessment of potential threats by a human user. This may, for example, include machine learning analysis of new code samples, models to provide human-readable context for evaluating potential threats, and any of the other tools or techniques described herein). Therefore, it would have been obvious before the effective filing data of invention was made to a person having ordinary skill in the art to modify Crabtree et al. and King et al. and Apger et al. with Kaimal et al. This would have improved parsing log files by using machine learning. See Kaimal et al. Paragraph(s) 3-9. With respect to claim 11, it is rejected on grounds corresponding to above rejected claim 2, because claim 11 is substantially equivalent to claim 2. With respect to claim 12, it is rejected on grounds corresponding to above rejected claim 3, because claim 12 is substantially equivalent to claim 3. With respect to claim 13, it is rejected on grounds corresponding to above rejected claim 4, because claim 13 is substantially equivalent to claim 4. With respect to claim 14, it is rejected on grounds corresponding to above rejected claim 5, because claim 14 is substantially equivalent to claim 5. With respect to claim 15, it is rejected on grounds corresponding to above rejected claim 6, because claim 15 is substantially equivalent to claim 6. With respect to claim 16, it is rejected on grounds corresponding to above rejected claim 7, because claim 16 is substantially equivalent to claim 7. The Crabtree et al. reference as modified by King et al. and Apger et al. and Kaimal et al. teaches all the limitations of claim 10. With respect to claim 17, King et al. teaches the system of claim 10, when the confidence level for mapping the first name-value pair to the first input field does not exceed the threshold, determining a confidence level for mapping a second name-value pair from the one or more name-value pairs to the first input field (Paragraph 72 discloses Confidence of a relationship between two messages in a cluster may be determined based on the distance between each message in a cluster). The motivation to combine statement previously provided in the rejection of independent claim 11 provided above, combining the Crabtree et al. reference and the King et al. reference is applicable to dependent claim 17. With respect to claim 18, it is rejected on grounds corresponding to above rejected claim 9, because claim 18 is substantially equivalent to claim 9. With respect to claim 19, Crabtree et al. discloses a system comprising: a memory (Paragraph 29 discloses a memory of, and operating on a processor of, a computing device) with instructions stored thereon; and a processing device (Paragraph 29 discloses a memory of, and operating on a processor of, a computing device), coupled to the memory, the processing device configured to access the memory and execute the instructions, wherein the instructions cause the processing device to perform or control performance of operations comprising: receiving, from a first user device, a log file including a plurality of name-value pairs, representing data associated with a cybersecurity threat event occurring at or detected by an affected device (Paragraph 117 discloses content of interest may be identified, for example including web and email portals, log files, backup or archive files, and other forms of sensitive information that may be contained within HTML comments or client-side scripts, as may be useful for vulnerability discovery and penetration testing activities). Crabtree et al. does not disclose tokenizing the plurality of name-value pairs of the log file. However, King et al. discloses tokenizing the plurality of name-value pairs of the log file (Paragraph 52 discloses variable attributes to be removed and/or replaced with a token during analysis); generating a feature vector associated with one or more of the tokenized name-value pairs, wherein attributes of the feature vector include the one or more of the tokenized name-value pairs (Paragraph 59 discloses generate a vector based on each histogram and/or other relevant data for each message); providing the feature vector to a plurality of decision trees to determine a confidence level associated with mapping name-value pairs of the plurality of name-value pairs to input fields of a schema, wherein when the confidence level exceeds a threshold, the operations further comprise mapping one or more name-value pairs of the plurality of name-value pairs to associated input fields of the schema (Paragraph 72 discloses Confidence of a relationship between two messages in a cluster may be determined based on the distance between each message in a cluster). Therefore, it would have been obvious before the effective filing data of invention was made to a person having ordinary skill in the art to modify Crabtree et al. with King et al. This would have improved parsing log files by using machine learning. See King et al. Paragraph(s) 4-15. Crabtree et al. as modified by King et al. does not explicitly disclose classify the log file based on the distribution of tokenized name-value pairs. However, Apger et al. discloses generate a distribution of tokenized name-value pairs (Paragraph 111 discloses fields can automatically be generated for some or all of the field names of the field name-value pairs at the time of indexing); classify the log file based on the distribution of tokenized name-value pairs (Paragraph 42-43 discloses server log files, activity log files, configuration files, messages, network packet data, performance measurements, sensor measurements, etc. The data intake and query system can use flexible schema to specify how to extract information from events. A flexible schema may be developed and redefined as needed). Therefore, it would have been obvious before the effective filing data of invention was made to a person having ordinary skill in the art to modify Crabtree et al. and King et al. with Apger et al. This would have improved parsing log files by using machine learning. See Apger et al. Paragraph(s) 2-4. Crabtree et al. as modified by King et al. and Apger et al. does not disclose generating a new parser from the plurality of input fields of the schema and the mapping using a parser algorithm associated with the schema, wherein the generated new parser includes at least part of the first name-value pair. However, Kaimal et al. teaches generating a parser based on the schema using a parser algorithm associated with the schema (Paragraph 153 discloses a parser grammar set for a security policy. A parser may be used to convert an intermediate form of a security policy into an executable form. In some embodiments, the parser may be built using the Apache Freemarker Template Engine, an open source java library capable of generating text outputs based on templates. The parser may have a grammar construct to handle different types of access rules); using the new parser in a compiler to compile log files into a computer-readable format compatible with an application for identifying and evaluating cybersecurity threats from log files (Paragraph 77 discloses threat management facility 308 may also or instead store and deploys a number of security tools such as a web-based user interface that is supported by machine learning models to aid in the identification and assessment of potential threats by a human user. This may, for example, include machine learning analysis of new code samples, models to provide human-readable context for evaluating potential threats, and any of the other tools or techniques described herein). Therefore, it would have been obvious before the effective filing data of invention was made to a person having ordinary skill in the art to modify Crabtree et al. and King et al. and Apger et al. with Kaimal et al. This would have improved parsing log files by using machine learning. See Kaimal et al. Paragraph(s) 3-9. The Crabtree et al. reference as modified by King et al. and Apger et al. and Kaimal et al. teaches all the limitations of claim 19. With respect to claim 20, King et al. teaches the system of claim 19, wherein the processor is further configured to: receive an edited parser, wherein edits to the parser includes one or more of: adding code to the parser and removing code from the parser (Paragraph 26 discloses including enabling non-developer skilled users to create parsing scripts/parsers or rules for new and/or varying syslog telemetry's); and store the edited parser in a repository of edited parsers associated with a user (Paragraph 35 discloses log parsing system 202 may further be connected to a number of private and/or public databases, repositories, or other data sources); receive a second log file from the user (Paragraph 48 discloses various log files); and parse the second log file using the edited parser (Paragraph 26 discloses including enabling non-developer skilled users to create parsing scripts/parsers or rules for new and/or varying syslog telemetry's). The motivation to combine statement previously provided in the rejection of independent claim 19 provided above, combining the Crabtree et al. reference and the King et al. reference is applicable to dependent claim 20. Relevant Prior Art The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US PG-Pub. No. 20200226214 is directed to PARSING OF UNSTRUCTURED LOG DATA INTO STRUCTURED DATA AND CREATION OF SCHEMA: [0151] parser may generate a parsed message that logically operates similar to a JSON message, as shown in the above flattening examples. However, some downstream applications (e.g. a trained machine learning model) that consume parsed messages may instead expect a feature vector, which is a dense and fixed-size encoding that typically does not accommodate variations in size such as with messages or arrays. In an embodiment, a feature vector may expect a parsed array to be padded to an empirical maximum length. In an embodiment during training, a parser may maintain and expose a maximum length for each cluster signature array token as observed in the training corpus. For example, the parser may introduce a synthetic token attribute such as “MaxValuesSeenInOneToken” as shown in the following parsed array. AQ Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to NICHOLAS E ALLEN whose telephone number is (571)270-3562. The examiner can normally be reached Monday through Thursday 830-630. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Boris Gorney can be reached at (571) 270-5626. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /BORIS GORNEY/Supervisory Patent Examiner, Art Unit 2154 /N.E.A/Examiner, Art Unit 2154