DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 08/28/2020 has been entered.
 
Response to Amendments
The amendments filed 08/28/2020 have been entered. Claims 1, 4-19, 21-23, 25-27, and 29-33 remain pending in the application. Claims 31-33 are newly presented. 
 
Applicant’s arguments, with respect to the rejection(s) of claim(s) 1-30 under 35 U.S.C. 112(b) have been fully considered and are persuasive. Therefore, the previous rejection set forth in the previous office action mailed 05/01/2020 has been withdrawn. 
Applicant’s arguments, with respect to the rejection(s) of claim(s) 1, 23, and 27 under 35 U.S.C. 112(a) have been fully considered and are persuasive. Therefore, the 

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-33 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
In short, the examiner introduces new prior art of record Splunk Getting Data In Manual Version 4.2.2 (NPL 2011, hereafter “Splunk”). The examiner notes that the specific arguments regarding the Carasso reference are rendered moot since Splunk is now relied upon to teach such language. Claim(s) 1, 4, 11-17, 19, 23, 26-27, and 30-33 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Splunk (See Below). 
The examiner notes, however, that specific rejections regarding dependent claims, which the examiner previously relied upon Carasso and/or Neeman are maintained and updated to reflect the new grounds of rejection. 

Claim Interpretation
At least Claim 1, as amended, recites: 
predicting breakpoints in the same by performing pattern recognition…wherein the pattern recognition compares patterns in the sample with a plurality of event delimiter patterns from a plurality of data source types; 

generating, using field prediction, a parsed events view of the sample data, the parsed events view comprising a plurality of predicted fields.


	In other words, it appears that the applicant is attempting to differentiate these two processes as NOT encompassing each other. However, based on the support and evidence from the specification, it appears that “pattern recognition” and “field prediction” are equivalent and/or otherwise comprises similar functional steps. 
	Specifically, the process of “field prediction” appears to draw support from paragraphs [0225]-[0229] of the as-filed specification. Paragraph [0226] describes, at least in part, how “field prediction” is accomplished and recites: 
“An embodiment may employ one or more techniques, methods processes, or the like, in order to prediction the probable locations of one or more fields in the data of the data source. An embodiment may look for patterns that appear to be key-value pairs within the data. An embodiment may look for patterns representing common data formats such as IP addresses…[Paragraph [0227]] At the same time or separately, an embodiment may identify patterns that suggest breakpoints in the data…The breakpoints and field predictions may be applied to the sample data in an embodiment to provide a parsed events view of the sample data…”
	
As can be seen, while “pattern recognition” and “field prediction” are both definite and indeed have support within the as-filed specification, they appear to encompass the same algorithms, functional steps, and/or processes. Because of this evidence from the specification and under the broadest reasonable interpretation of the claim language, the claimed terms “pattern recognition” and “field prediction” will be interpreted as encompassing the same and/or similar subject matter. 
For clarity of record and ease of reading, the examiner notes the following with respect to the below art-based rejection(s): 
Any text that is bolded is a limitation of a claim. 
The “teaching” or reference citation, along with any necessary examiner notes are contained within the parentheses “()” following the bolded claim language. 
Any text that is underlined is emphasized language from reference(s) cited and/or particularly important examiner notes. While NOT fully reflective of the rejection as a whole, these underlined passages are indicative or otherwise reflective of key evidence.  

Claim Rejections – 35 U.S.C. 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1, 4, 11-17, 19, 23, 26-27, and 30-33 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Splunk Getting Data In Manual Version 4.2.2 (NPL 2011, hereafter “Splunk”). 
With respect to Claim 1, 
Splunk teaches A method performed, comprising: receiving a sample of machine data in a form produced by the data source (Throughout the Splunk reference, it is disclosed that the Splunk platform can “consume” or otherwise take in data of various formats. More specifically though, Pg. 12 “Splunk consumes any sort of data and indexes it, transforming it into useful and searchable knowledge in the form of events…” In one example, Pg. 30 describes getting data from TCP and UDP ports. In another example, Pg. 51 describes input data as “Windows event log data.” The examiner notes and any or all of the data discussed and disclosed within the Splunk reference teaches “receiving a sample of machine data in a form produced by the data source” as is required.). 
Splunk also teaches predicting breakpoints in the sample by performing pattern recognition, the breakpoints identifying boundaries between distinct event segments of a plurality of event segments of the sample, each event segment corresponding to an individual event (Pg. 111 "Many event logs have a strict one-line-per-event-format, but some do not. Usually, Splunk can automatically figure out the event boundaries..." Pg. 138-139 especially top of Pg. 139 "Splunk uses automatic source type recognition to match similar-looking files and, through that, assign a source type. It calculates signatures for patterns in the first few thousand lines of any file or stream of network input. These signatures identify things like repeating word patterns, punctuation patterns, line length, and so on. When Splunk calculates a signature, it compares it to previously seen signatures. The examiner notes that as disclosed above, automatically figuring out event boundaries and/or breaking all events into segments teaches predicting breakpoints as is required. Further still, Pg. 113 describes an example where Splunk specifies event breaks and recites “This instructs Splunk to divide events in a file or stream by presuming any line that consists of all digits is the start of a new event, for any source whose source type was configured or determined by Splunk to be sourcetype::my-_custom_sourcetype.” Note that the start of a new event is, at least in part, determined by the source type of the event stream or file that is determined by Splunk. From above (See Pg. 139), the automatic source type recognition is determined through looking at the signatures of the source type (i.e. patterns). Therefore, the breakpoints, or segmentation, of events is determined using pattern recognition as is required. ). 
Splunk also teaches wherein the pattern recognition compares patterns in the sample with a plurality of event delimiter patterns from a plurality of data source types (In addition, Pg. 138-139 especially top of Pg. 139 "Splunk uses automatic source type recognition to match similar-looking files and, through that, assign a source type. It calculates signatures for patterns in the first few thousand lines of any file or stream of network input. These signatures identify things like repeating word patterns, punctuation patterns, line length, and so on. When Splunk calculates a signature, it compares it to previously seen signatures. If the signature appears to be a radically new pattern, Splunk creates a new source type for the pattern." In addition and/or in the alternative, Pg. 153 "Train Splunk's source type autoclassifier. Use these Autoclassification training enables Splunk to classify future event data with similar patterns as a specific source type..." Pg. 167 "Certain data sources and source types, such as CSV and MS Exchange log files, can have headers that contain field information. You can configure Splunk to automatically extract these fields during index-time event processing…When you enable automatic header-based field extraction for a specific source or source type, Splunk scans it for header field information, which it then uses for field extraction. If a source has the necessary header information, Splunk extracts fields using delimiter-based key/value extraction."). 
Splunk further teaches generating, using field prediction, a parsed events view of the sample data, the parsed events view comprising a plurality of predicted fields for each of the distinct events segments (As an initial matter, the examiner notes the claim interpretation above with respect to “field prediction” and “pattern recognition”. Pg. 167 See above. In addition, Pg. 138-139 especially top of Pg. 139 "Splunk uses automatic source type recognition to match similar-looking files and, through that, assign a source type. It calculates signatures for patterns in the first few thousand lines of any file or stream of network input. These signatures identify things like repeating word patterns, punctuation patterns, line length, and so on. When Splunk calculates a signature, it compares it to previously seen signatures. If the signature appears to be a radically new pattern, Splunk creates a new source type for the pattern." In addition and/or in the alternative, Pg. 153 "Train Splunk's source type autoclassifier. Use these instructions to train Splunk to recognize a new source type, or Regex is a regular expression that operates on your data to extract fields. Name-capturing groups in the regex are extracted directly to fields, which means that you don't have to specify a Format for simple field extraction cases..." Pg. 164 "Splunk builds indexed fields by writing to _meta. Here how it works...After _meta is fully built during parsing, Splunk interprets the text in the following way...Units of text that contain a double colon (::) are turned into extracted fields. The text on the left side of the double colon becomes the field name, and the right side becomes the value...When splunk creates field names, it applies the following rules to all extracted fields, whether they are extracted at index-time or search-time..." Pg. 167 "When Splunk scans it for header field information, which it then uses for field extraction. If a source has the necessary header information, Splunk extracts fields using delimiter-based key/value extraction..." For the claimed "parsed events view", See the example on Pg. 170-171, at least which in part, uses the "header information extraction" as described above. In particular, note the example "automatic extraction" on Pg. 171. This output teaches the "parsed events view" as claimed.). 
Splunk further teaches classifying the event segments into two or more groups based at least in part on a determination of similarity (Pg. 153 "Train Splunk's source type autoclassifier…Autoclassification training enables Splunk to classify future event data with similar patterns as specific source type. This can be useful when Splunk is indexing directories that contains data with a mix of source The examiner notes that each source type teaches at least one of the claimed "group." And because there are numerous groups as well as the ability to train user specific source types, Splunk necessarily teaches "two or more groups" as is required. The examiner further notes, for clarity, that, by definition, a classifier groups things. So, when the disclosed Splunk autoclassifier classifies or "recognizes" new event data as a particular source type, it is classifying the event data as is required. Further still, as was described above, this classification is the result of "similar patterns" (Pg. 153); thus, the classification necessarily is based on a determination of similarity (i.e. similar patterns) as is required.). 
Splunk also further still teaches examining, for each of the groups, field data in each of the plurality of event segments (As an initial matter, the examiner notes the extreme breadth of the term "examining". "Examining" is interpreted, under the broadest reasonable interpretation, as encompassing any functionality whatsoever, that results in or is a result of any transformation, determination, other identification, and/or merely observing "field data." Pg. 167-168 "Splunk scans it for header field information, which it then uses for field extraction. If a source has the necessary header information, Splunk extracts fields using delimiter-based key/value extraction. Splunk does this at index time by changing the source type of the incoming data...Next, it creates a stanza for this new source type...defines a delimiter-based extraction rule for the static table header...and then ties that extraction rule to the new source type...Finally, at search time, Splunk applies field transform to events from the source..."). 
determining, based on the field data, an extraction rule for extracting a common set of one or more predicted fields from each event segment of the group (Pg. 167-168 "Splunk scans it for header field information, which it then uses for field extraction. If a source has the necessary header information, Splunk extracts fields using delimiter-based key/value extraction. Splunk does this at index time by changing the source type of the incoming data...Next, it creates a stanza for this new source type...defines a delimiter-based extraction rule for the static table header...and then ties that extraction rule to the new source type...Finally, at search time, Splunk applies field transform to events from the source..." The examiner notes that “defining a delimiter-based extraction rule” teaches the claim language. The common set being the fields extracted which are “tied” to the “new” source type. That is, the when Splunk encounters the “new” source type, Splunk has an extraction rule for that source type. Therefore, that source type has a “common set of one or more predicted fields…” as the claim language requires. In addition and/or in the alternative, Pg. 151 describes how Splunk can “Configure rule-based source type recognition.” While any or all of the rules in this section teach the claim language, the examiner especially notes “delayed rules.” “Delayed rules” are described as “stanzas [that] contain classification rules for generic source types…”). 
Splunk also teaches storing the extraction rules in computer memory (Pg. 139 “If splunk is unable to assign a source type for the event using the preceding methods, it creates a new source type for event signature (see Step 4, above). Splunk stores learned pattern information in sourcetypes.conf.” The examiner notes that as 
Splunk also teaches wherein the method is performed by a computing system comprising one or more processors (Splunk Pg. 1 “The data can be on the same machine as the Splunk indexer.” The “same machine” teaches “performed by a computing system comprising one or more processors” as is required.). 
 
With respect to Claim 4, Splunk teaches wherein classifying includes automatically identifying one or more fields in an event segment by matching patterns associated with one or more known fields (Splunk Pg. 153 "Train Splunk's source type autoclassifier…Autoclassification training enables Splunk to classify future event data with similar patterns as specific source type. This can be useful when Splunk is indexing directories that contains data with a mix of source types..." The examiner notes that in addition to being able to train a user's specific source types, Splunk discloses on Pgs. 154-158 various source types that the autoclassifier is "pre-trained" to classify. Pg. 138-139 especially top of Pg. 139 "Splunk uses automatic source type recognition to match similar-looking files and, through that, assign a source type. It calculates signatures for patterns in the first few thousand lines of any file or stream of network input. These signatures identify things like repeating word patterns, punctuation patterns, line length, and so on. When Splunk calculates a signature, it compares it to previously seen signatures.” The examiner notes that comparing signatures (i.e. patterns) to “previously seen signatures” (i.e. known patterns) teaches the claim language.). 
	With respect to Claim 11, Splunk teaches wherein storing the extraction rules includes storing the extraction rules in association with a data sourcetype of the data source (Splunk Pg. 167-168 "Splunk scans it for header field information, which it then uses for field extraction. If a source has the necessary header information, Splunk extracts fields using delimiter-based key/value extraction. Splunk does this at index time by changing the source type of the incoming data...Next, it creates a stanza for this new source type...defines a delimiter-based extraction rule for the static table header...and then ties that extraction rule to the new source type...Finally, at search time, Splunk applies field transform to events from the source..." The examiner notes that tying an extraction rule to a source type, as is disclosed, teaches the claim language. In addition or in the alternative, Pg. 162 “Write_meta = true writes the extracted field name and value to _meta, which is where Splunk stores indexed fields…”). 

With respect to Claim 12, Splunk teaches wherein storing the extraction rules includes storing the extraction rules in association with the data source (Splunk Pg. 159 Note the description for the attribute/value pair for “Learn_model”. It recites “for known sourcetypes, the file classifier will add a model file to the learned dictionary…more specifically, set LEARN_MODEL to false if you can easily classify your source by its name or a rule…” Based on this example, if LEARN_MODEL is set to true, then the extraction rules (which from Pg. 151 are stored, created, or otherwise determined in “props.conf”) will be used in the model. Thus, Splunk teaches the claim language. In addition or in the alternative, Splunk, in general teaches a properties Under the broadest reasonable interpretation of the claim language, the configuration and/or rules stored in one file for a specific source type teach the claimed “Extraction Model.” Further, Pg. 138 Top of page “Events with the same source type can come from different sources…If you search ‘sourcetype=linux_syslog, Splunk will return events from both of those sources.” The examiner notes that if events with a specific source type can “come from different sources”, the extraction rules, under the broadest reasonable interpretation, stored in the configuration file, are stored or are otherwise configured for a data source. Thus, Splunk teaches the claim language.). 

With respect to Claim 13, Splunk teaches wherein storing the extraction rules includes storing the extraction rules as an extraction model (Splunk Pg. 159 Note the description for the attribute/value pair for “Learn_model”. It recites “for known sourcetypes, the file classifier will add a model file to the learned dictionary…more specifically, set LEARN_MODEL to false if you can easily classify your source by its name or a rule…” Based on this example, if LEARN_MODEL is set to true, then the extraction rules (which from Pg. 151 are stored, created, or otherwise determined in “props.conf”) will be used in the model. Thus, Splunk teaches the claim language. In addition or in the alternative, Splunk, in general teaches a properties configuration file (i.e. “props.conf”). As described on at least Pg. 151 “Configure rule-based source type Under the broadest reasonable interpretation of the claim language, the configuration and/or rules stored in one file for a specific source type teach the claimed “Extraction Model.”). 

	With respect to Claim 14, the combination of Splunk teaches wherein storing the extraction rules includes storing the extraction rules as an extraction model of a data source (Splunk Pg. 159 Note the description for the attribute/value pair for “Learn_model”. It recites “for known sourcetypes, the file classifier will add a model file to the learned dictionary…more specifically, set LEARN_MODEL to false if you can easily classify your source by its name or a rule…” Based on this example, if LEARN_MODEL is set to true, then the extraction rules (which from Pg. 151 are stored, created, or otherwise determined in “props.conf”) will be used in the model. Thus, Splunk teaches the claim language. In addition or in the alternative, Splunk, in general teaches a properties configuration file (i.e. “props.conf”). As described on at least Pg. 151 “Configure rule-based source type recognition to expand the range of source types that Splunk recognizes. Splunk automatically assigns rule-based source types based on regular expressions [Regex] you specify in props.conf.” Under the broadest reasonable interpretation of the claim language, the configuration and/or rules stored in one file for a specific source type teach the claimed “Extraction Model.” Further, Pg. 138 Top of page “Events with the same source type can come from different sources…If you search ‘sourcetype=linux_syslog, Splunk will return events from both of those sources.” The examiner notes that if events with a specific source type can “come from different sources”, the extraction rules, under the broadest reasonable interpretation, stored in the configuration file, are stored or are otherwise configured for a data source. Thus, Splunk teaches the claim language.). 

	With respect to Claim 15, Splunk teaches wherein storing the extraction rules includes storing the extraction rules as an extraction model of a data sourcetype (Splunk, See citation regarding Claim 14 above.). 

With respect to Claim 16, Splunk teaches wherein storing the extraction rules is conditioned, at least in part, on receiving an indication of acceptance based on user interaction with a user interface displaying a representation of one or more of the extraction rules (Pg. 127-128 shows the process of training Splunk to recognize and extract timestamps from an event. Especially note Step 3 “Splunk displays the first line of your sample and asks you to teach it the values for the timestamp…” In the next step (step 4), a user enters the values of the timestamp that are to be learned, then, “…If the values are sufficient, Splunk displays: “Learned pattern. If you are satisfied that the timestamps formats have been learned, hit control-c…” Finally, step 5 Splunk displays the “regex” for the specified and learned timestamp. The user hitting control-c teaches the claimed “user interaction” with a “indication of acceptance.” Further the displaying of the Regex rule for the timestamp teaches displaying the extraction rules. Thus, Splunk teaches the claim language.). 

With respect to Claim 17, Splunk teaches wherein storing the extraction rules is conditioned, at least in part, on receiving an indication of acceptance based on user interaction with a user interface displaying a representation of one or more of the extraction rules, the representation including a depiction of an event segment (Pg. 127-128 shows the process of training Splunk to recognize and extract timestamps from an event. Especially note Step 3 “Splunk displays the first line of your sample and asks you to teach it the values for the timestamp…” In the next step (step 4), a user enters the values of the timestamp that are to be learned, then, “…If the values are sufficient, Splunk displays: “Learned pattern. If you are satisfied that the timestamps formats have been learned, hit control-c…” Finally, step 5 Splunk displays the “regex” for the specified and learned timestamp. The user hitting control-c teaches the claimed “user interaction” with a “indication of acceptance.” Further the displaying of the Regex rule for the timestamp teaches displaying the extraction rules. Thus, Splunk teaches the claim language.
The examiner notes the “depiction” of the patterns learned (Bottom of Pg. 128). This depiction, as shown, teaches “the representation including a depiction of an event segment.”). 

With respect to Claim 19, Splunk teaches wherein storing the extraction rules is conditioned, at least in part, on receiving an indication of acceptance based on user interaction with the user interface displaying a representation of one or more of the extraction rules, the representation including a depiction of an event segment having one or more field portions each substituted with a field identifier in accordance with a particular extraction rule (Pg. 127-128 shows the process of training Splunk to recognize and extract timestamps from an event. Especially note Step 3 “Splunk displays the first line of your sample and asks you to teach it the values for the timestamp…” In the next step (step 4), a user enters the values of the timestamp that are to be learned, then, “…If the values are sufficient, Splunk displays: “Learned pattern. If you are satisfied that the timestamps formats have been learned, hit control-c…” Finally, step 5 Splunk displays the “regex” for the specified and learned timestamp. The user hitting control-c teaches the claimed “user interaction” with a “indication of acceptance.” Further the displaying of the Regex rule for the timestamp teaches displaying the extraction rules. Thus, Splunk teaches the claim language.
The examiner notes the “depiction” of the pattern learned (Bottom of Pg. 128). This depiction, as shown, teaches “the representation including a depiction of an event segment.” Further, note that the regex rule for such an extraction shows field identifiers of, for example, “day, litmonth, year.” At least these portions teach “field identifier” as is required.). 
With respect to Claim 23, 
Splunk teaches A system comprising: a memory; and a processing device coupled with the memory to perform operations comprising: receiving a sample of machine data in a form produced by the data source (Throughout the Splunk reference, it is disclosed that the Splunk platform can “consume” or otherwise take in data of various formats. More specifically though, Pg. 12 “Splunk consumes any sort of data and indexes it, transforming it into useful and searchable knowledge in the form of events…” In one example, Pg. 30 describes getting data from TCP and UDP ports. In another example, Pg. 51 describes input data as “Windows event log data.” The examiner notes and any or all of the data discussed and disclosed within the Splunk reference teaches “receiving a sample of machine data in a form produced by the data source” as is required.). 
Splunk also teaches predicting breakpoints in the sample by performing pattern recognition, the breakpoints identifying boundaries between distinct event segments of a plurality of event segments of the sample, each event segment corresponding to an individual event (Pg. 111 "Many event logs have a strict one-line-per-event-format, but some do not. Usually, Splunk can automatically figure out the event boundaries..." Pg. 138-139 especially top of Pg. 139 "Splunk uses automatic source type recognition to match similar-looking files and, through that, assign a source type. It calculates signatures for patterns in the first few thousand lines of any file or stream of network input. These signatures identify things like repeating word patterns, punctuation patterns, line length, and so on. When Splunk calculates a signature, it compares it to previously seen signatures. The examiner notes that as disclosed above, automatically figuring out event boundaries and/or breaking all events into segments teaches predicting breakpoints as is required. Further still, Pg. 113 describes an example where Splunk specifies event breaks and recites “This instructs Splunk to divide events in a file or stream by presuming any line that consists of all digits is the start of a new event, for any source whose source type was configured or determined by Splunk to be sourcetype::my-_custom_sourcetype.” Note that the start of a new event is, at least in part, determined by the source type of the event stream or file 
Splunk also teaches wherein the pattern recognition compares patterns in the sample with a plurality of event delimiter patterns from a plurality of data source types (In addition, Pg. 138-139 especially top of Pg. 139 "Splunk uses automatic source type recognition to match similar-looking files and, through that, assign a source type. It calculates signatures for patterns in the first few thousand lines of any file or stream of network input. These signatures identify things like repeating word patterns, punctuation patterns, line length, and so on. When Splunk calculates a signature, it compares it to previously seen signatures. If the signature appears to be a radically new pattern, Splunk creates a new source type for the pattern." In addition and/or in the alternative, Pg. 153 "Train Splunk's source type autoclassifier. Use these instructions to train Splunk to recognize a new source type, or give it new samples to better recognize a pre-trained source type. Autoclassification training enables Splunk to classify future event data with similar patterns as a specific source type..." Pg. 167 "Certain data sources and source types, such as CSV and MS Exchange log files, can have headers that contain field information. You can configure Splunk to automatically extract these fields during index-time event processing…When you enable automatic header-based field extraction for a specific source or source type, Splunk scans it for header field information, which it then uses for field extraction. If a source has the Splunk extracts fields using delimiter-based key/value extraction."). 
Splunk further teaches generating, using field prediction, a parsed events view of the sample data, the parsed events view comprising a plurality of predicted fields for each of the distinct events segments (As an initial matter, the examiner notes the claim interpretation above with respect to “field prediction” and “pattern recognition”. Pg. 167 See above. In addition, Pg. 138-139 especially top of Pg. 139 "Splunk uses automatic source type recognition to match similar-looking files and, through that, assign a source type. It calculates signatures for patterns in the first few thousand lines of any file or stream of network input. These signatures identify things like repeating word patterns, punctuation patterns, line length, and so on. When Splunk calculates a signature, it compares it to previously seen signatures. If the signature appears to be a radically new pattern, Splunk creates a new source type for the pattern." In addition and/or in the alternative, Pg. 153 "Train Splunk's source type autoclassifier. Use these instructions to train Splunk to recognize a new source type, or give it new samples to better recognize a pre-trained source type. Autoclassification training enables Splunk to classify future event data with similar patterns as a specific source type..." In Addition and/or in the alternative, Pg. 160 "Configure index-time field extraction" Pg. 161 "Regex is a regular expression that operates on your data to extract fields. Name-capturing groups in the regex are extracted directly to fields, which means that you don't have to specify a Format for simple field extraction cases..." Pg. 164 "Splunk builds indexed fields by writing to _meta. Here how it works...After _meta is fully built during parsing, Splunk interprets the text in the following way...Units of text that contain a double colon (::) are turned into extracted fields. The text on the left side of the double colon becomes the field name, and the right side becomes the value...When splunk creates field names, it applies the following rules to all extracted fields, whether they are extracted at index-time or search-time..." Pg. 167 "When Splunk scans it for header field information, which it then uses for field extraction. If a source has the necessary header information, Splunk extracts fields using delimiter-based key/value extraction..." For the claimed "parsed events view", See the example on Pg. 170-171, at least which in part, uses the "header information extraction" as described above. In particular, note the example "automatic extraction" on Pg. 171. This output teaches the "parsed events view" as claimed.). 
Splunk further teaches classifying the event segments into two or more groups based at least in part on a determination of similarity (Pg. 153 "Train Splunk's source type autoclassifier…Autoclassification training enables Splunk to classify future event data with similar patterns as specific source type. This can be useful when Splunk is indexing directories that contains data with a mix of source types..." The examiner notes that in addition to being able to train a user's specific source types, Splunk discloses on Pgs. 154-158 various source types that the autoclassifier is "pre-trained" to classify. The examiner notes that each source type teaches at least one of the claimed "group." And because there are numerous groups as well as the ability to train user specific source types, Splunk necessarily teaches "two or more groups" as is required. The examiner further notes, for clarity, that, by definition, a classifier groups things. So, when the disclosed Splunk autoclassifier classifies or "recognizes" new event data as a particular source type, it is classifying the event data 
Splunk also further still teaches examining, for each of the groups, field data in each of the plurality of event segments (As an initial matter, the examiner notes the extreme breadth of the term "examining". "Examining" is interpreted, under the broadest reasonable interpretation, as encompassing any functionality whatsoever, that results in or is a result of any transformation, determination, other identification, and/or merely observing "field data." Pg. 167-168 "Splunk scans it for header field information, which it then uses for field extraction. If a source has the necessary header information, Splunk extracts fields using delimiter-based key/value extraction. Splunk does this at index time by changing the source type of the incoming data...Next, it creates a stanza for this new source type...defines a delimiter-based extraction rule for the static table header...and then ties that extraction rule to the new source type...Finally, at search time, Splunk applies field transform to events from the source..."). 
Splunk teaches determining, based on the field data, an extraction rule for extracting a common set of one or more predicted fields from each event segment of the group (Pg. 167-168 "Splunk scans it for header field information, which it then uses for field extraction. If a source has the necessary header information, Splunk extracts fields using delimiter-based key/value extraction. Splunk does this at index time by changing the source type of the incoming data...Next, it creates a stanza for this new source type...defines a delimiter-based extraction rule for the static table header...and then ties that extraction rule to the new source type...Finally, at search that source type. Therefore, that source type has a “common set of one or more predicted fields…” as the claim language requires. In addition and/or in the alternative, Pg. 151 describes how Splunk can “Configure rule-based source type recognition.” While any or all of the rules in this section teach the claim language, the examiner especially notes “delayed rules.” “Delayed rules” are described as “stanzas [that] contain classification rules for generic source types…”). 
Splunk also teaches storing the extraction rules in computer memory (Pg. 139 “If splunk is unable to assign a source type for the event using the preceding methods, it creates a new source type for event signature (see Step 4, above). Splunk stores learned pattern information in sourcetypes.conf.” The examiner notes that as described above in Pg. 139 and 138 these stored pattern information are interpreted as “extraction rules.”).

With respect to Claim 26, Splunk teaches wherein storing the extraction rules is conditioned, at least in part, on receiving an indication of acceptance based on user interaction with a user interface displaying a representation of one or more of the extraction rules, the representation including a depiction of an event segment (Pg. 127-128 shows the process of training Splunk to recognize and extract timestamps from an event. Especially note Step 3 “Splunk displays the first line The user hitting control-c teaches the claimed “user interaction” with a “indication of acceptance.” Further the displaying of the Regex rule for the timestamp teaches displaying the extraction rules. Thus, Splunk teaches the claim language.
The examiner notes the “depiction” of the patterns learned (Bottom of Pg. 128). This depiction, as shown, teaches “the representation including a depiction of an event segment.”). 
With respect to Claim 27, 
Splunk teaches A non-transitory computer readable storage medium encoding instruction thereon that, in response to execution by one or more processing devices, cause the one or more processing devices to perform operations comprising: receiving a sample of machine data in a form produced by the data source (Throughout the Splunk reference, it is disclosed that the Splunk platform can “consume” or otherwise take in data of various formats. More specifically though, Pg. 12 “Splunk consumes any sort of data and indexes it, transforming it into useful and searchable knowledge in the form of events…” In one example, Pg. 30 describes getting data from TCP and UDP ports. In another example, Pg. 51 describes input data as “Windows event log data.” The examiner notes and any or all of the data 
Splunk also teaches predicting breakpoints in the sample by performing pattern recognition, the breakpoints identifying boundaries between distinct event segments of a plurality of event segments of the sample, each event segment corresponding to an individual event (Pg. 111 "Many event logs have a strict one-line-per-event-format, but some do not. Usually, Splunk can automatically figure out the event boundaries..." Pg. 138-139 especially top of Pg. 139 "Splunk uses automatic source type recognition to match similar-looking files and, through that, assign a source type. It calculates signatures for patterns in the first few thousand lines of any file or stream of network input. These signatures identify things like repeating word patterns, punctuation patterns, line length, and so on. When Splunk calculates a signature, it compares it to previously seen signatures. The examiner notes that as disclosed above, automatically figuring out event boundaries and/or breaking all events into segments teaches predicting breakpoints as is required. Further still, Pg. 113 describes an example where Splunk specifies event breaks and recites “This instructs Splunk to divide events in a file or stream by presuming any line that consists of all digits is the start of a new event, for any source whose source type was configured or determined by Splunk to be sourcetype::my-_custom_sourcetype.” Note that the start of a new event is, at least in part, determined by the source type of the event stream or file that is determined by Splunk. From above (See Pg. 139), the automatic source type recognition is determined through looking at the signatures of the source type (i.e. 
Splunk also teaches wherein the pattern recognition compares patterns in the sample with a plurality of event delimiter patterns from a plurality of data source types (In addition, Pg. 138-139 especially top of Pg. 139 "Splunk uses automatic source type recognition to match similar-looking files and, through that, assign a source type. It calculates signatures for patterns in the first few thousand lines of any file or stream of network input. These signatures identify things like repeating word patterns, punctuation patterns, line length, and so on. When Splunk calculates a signature, it compares it to previously seen signatures. If the signature appears to be a radically new pattern, Splunk creates a new source type for the pattern." In addition and/or in the alternative, Pg. 153 "Train Splunk's source type autoclassifier. Use these instructions to train Splunk to recognize a new source type, or give it new samples to better recognize a pre-trained source type. Autoclassification training enables Splunk to classify future event data with similar patterns as a specific source type..." Pg. 167 "Certain data sources and source types, such as CSV and MS Exchange log files, can have headers that contain field information. You can configure Splunk to automatically extract these fields during index-time event processing…When you enable automatic header-based field extraction for a specific source or source type, Splunk scans it for header field information, which it then uses for field extraction. If a source has the necessary header information, Splunk extracts fields using delimiter-based key/value extraction."). 
generating, using field prediction, a parsed events view of the sample data, the parsed events view comprising a plurality of predicted fields for each of the distinct events segments (As an initial matter, the examiner notes the claim interpretation above with respect to “field prediction” and “pattern recognition”. Pg. 167 See above. In addition, Pg. 138-139 especially top of Pg. 139 "Splunk uses automatic source type recognition to match similar-looking files and, through that, assign a source type. It calculates signatures for patterns in the first few thousand lines of any file or stream of network input. These signatures identify things like repeating word patterns, punctuation patterns, line length, and so on. When Splunk calculates a signature, it compares it to previously seen signatures. If the signature appears to be a radically new pattern, Splunk creates a new source type for the pattern." In addition and/or in the alternative, Pg. 153 "Train Splunk's source type autoclassifier. Use these instructions to train Splunk to recognize a new source type, or give it new samples to better recognize a pre-trained source type. Autoclassification training enables Splunk to classify future event data with similar patterns as a specific source type..." In Addition and/or in the alternative, Pg. 160 "Configure index-time field extraction" Pg. 161 "Regex is a regular expression that operates on your data to extract fields. Name-capturing groups in the regex are extracted directly to fields, which means that you don't have to specify a Format for simple field extraction cases..." Pg. 164 "Splunk builds indexed fields by writing to _meta. Here how it works...After _meta is fully built during parsing, Splunk interprets the text in the following way...Units of text that contain a double colon (::) are turned into extracted fields. The text on the left side of the double colon becomes the field name, and the right side becomes the value...When splunk creates field names, it applies the following rules to all extracted fields, whether they are extracted at index-time or search-time..." Pg. 167 "When Splunk scans it for header field information, which it then uses for field extraction. If a source has the necessary header information, Splunk extracts fields using delimiter-based key/value extraction..." For the claimed "parsed events view", See the example on Pg. 170-171, at least which in part, uses the "header information extraction" as described above. In particular, note the example "automatic extraction" on Pg. 171. This output teaches the "parsed events view" as claimed.). 
Splunk further teaches classifying the event segments into two or more groups based at least in part on a determination of similarity (Pg. 153 "Train Splunk's source type autoclassifier…Autoclassification training enables Splunk to classify future event data with similar patterns as specific source type. This can be useful when Splunk is indexing directories that contains data with a mix of source types..." The examiner notes that in addition to being able to train a user's specific source types, Splunk discloses on Pgs. 154-158 various source types that the autoclassifier is "pre-trained" to classify. The examiner notes that each source type teaches at least one of the claimed "group." And because there are numerous groups as well as the ability to train user specific source types, Splunk necessarily teaches "two or more groups" as is required. The examiner further notes, for clarity, that, by definition, a classifier groups things. So, when the disclosed Splunk autoclassifier classifies or "recognizes" new event data as a particular source type, it is classifying the event data as is required. Further still, as was described above, this classification is the result of 
Splunk also further still teaches examining, for each of the groups, field data in each of the plurality of event segments (As an initial matter, the examiner notes the extreme breadth of the term "examining". "Examining" is interpreted, under the broadest reasonable interpretation, as encompassing any functionality whatsoever, that results in or is a result of any transformation, determination, other identification, and/or merely observing "field data." Pg. 167-168 "Splunk scans it for header field information, which it then uses for field extraction. If a source has the necessary header information, Splunk extracts fields using delimiter-based key/value extraction. Splunk does this at index time by changing the source type of the incoming data...Next, it creates a stanza for this new source type...defines a delimiter-based extraction rule for the static table header...and then ties that extraction rule to the new source type...Finally, at search time, Splunk applies field transform to events from the source..."). 
Splunk teaches determining, based on the field data, an extraction rule for extracting a common set of one or more predicted fields from each event segment of the group (Pg. 167-168 "Splunk scans it for header field information, which it then uses for field extraction. If a source has the necessary header information, Splunk extracts fields using delimiter-based key/value extraction. Splunk does this at index time by changing the source type of the incoming data...Next, it creates a stanza for this new source type...defines a delimiter-based extraction rule for the static table header...and then ties that extraction rule to the new source type...Finally, at search time, Splunk applies field transform to events from the source..." The examiner notes that source type. Therefore, that source type has a “common set of one or more predicted fields…” as the claim language requires. In addition and/or in the alternative, Pg. 151 describes how Splunk can “Configure rule-based source type recognition.” While any or all of the rules in this section teach the claim language, the examiner especially notes “delayed rules.” “Delayed rules” are described as “stanzas [that] contain classification rules for generic source types…”). 
Splunk also teaches storing the extraction rules in computer memory (Pg. 139 “If splunk is unable to assign a source type for the event using the preceding methods, it creates a new source type for event signature (see Step 4, above). Splunk stores learned pattern information in sourcetypes.conf.” The examiner notes that as described above in Pg. 139 and 138 these stored pattern information are interpreted as “extraction rules.”).
With respect to Claim 30, Splunk teaches wherein storing the extraction rules is conditioned, at least in part, on receiving an indication of acceptance based on user interaction with a user interface displaying a representation of one or more of the extraction rules, the representation including a depiction of an event segment (Pg. 127-128 shows the process of training Splunk to recognize and extract timestamps from an event. Especially note Step 3 “Splunk displays the first line of your sample and asks you to teach it the values for the timestamp…” In the next step (step 4), a user enters the values of the timestamp that are to be learned, then, “…If the The user hitting control-c teaches the claimed “user interaction” with a “indication of acceptance.” Further the displaying of the Regex rule for the timestamp teaches displaying the extraction rules. Thus, Splunk teaches the claim language.
The examiner notes the “depiction” of the patterns learned (Bottom of Pg. 128). This depiction, as shown, teaches “the representation including a depiction of an event segment.”). 
With respect to Claim 31, Splunk teaches examining, for a group of the two or more groups, a location, size, and content of field data to determine the extraction rule that extracts all of the field data from all of the predicted fields in the group (As an initial matter, the examiner again notes the breadth of the term “examining.” While believed definite, functionality encompassed by “examining” is broad and, in addition, does not appear to be different from the functionality of “examining” as recited in Claim 1. Splunk Pg. 139 “It calculates signatures for patterns in the first few thousand lines of any file or stream of network input. These signatures identify things like repeating word patterns, punctuation patterns, line length, and so on.” In addition, the examiner notes any or all of the “pre-trained” source types as disclosed on Pg. 154-158.” As can be seen from observing at least these pre-trained source types, Splunk can automatically recognize the fields for these source types. As disclosed on Pg. 139, if a “signature” is recognized (it is similar to one that is trained), Splunk can 

With respect to Claim 32, Splunk teaches performing a first classification of event segments into a first set of groups based at least in part on the determination of similarity (Splunk Pg. 138-139 describes the “methods” that Splunk uses to assign source types to event data. Most importantly, Splunk discloses that “As it processes event data, Splunk steps through these methods in a defined order of precedence. It starts with hardcoded source type configurations…moves on to rule-base source type associations, and then works through methods like automatic source type recognition and automatic source type learning.” The examiner notes Step 3 and 4. In step 3, Splunk attempts “…to match incoming data to source types using classification rules…” In Step 4 (Pg. 139), Splunk uses “automatic source type recognition to match similar-looking files, and through that, assign a source type…When Splunk calculates a signature, it compares it to previously seen signatures…” The examiner notes that the any or all of Splunk’s Steps 3 and/or Step 3 teach the claim language where the “Determination of similarity” is the matching of rules and/or “previously seen signatures.”) 
Examining, for each of first set of the groups, the field data in each of the plurality of event segments (As an initial matter, the examiner again notes the breadth of the term “examining.” While believed definite, functionality encompassed by “examining” is broad and, in addition, does not appear to be different from the functionality of “examining” as recited in Claim 1. Splunk Pgs. 138-139. The examiner Splunk calculates a signature, it compares it to previously seen signatures…” The examiner notes that calculating a signature for a particular event teaches the functionality encompassed by “examining.”) 
Determining that an extraction rule does not exist that extracts all of the field data from all of the predicted fields in a group of the first set of groups (Splunk Pgs. 138-139, especially Pg. 139. “If the signature appears to be a radically new pattern, Splunk creates a new source type for the pattern. Note: at this stage in the source type assignation process Splunk just matches incoming data with source types that it has learned previously. It doesn’t create new source types for unique signatures until the final stage.” The examiner notes that if a signature is “radically new” then, under the broadest reasonable interpretation of the claim, an extraction does not exist. This is why, as disclosed in Step 6 (Pg. 139) and as disclosed above, a new source type is created for that event signature. The examiner further notes that if the “radically new pattern” does not have a sourcetype, it logically follows that that “radically new pattern” does not belong or is otherwise part of the “first set of groups” as is required.). 
Wherein classifying the event segments into the two or more groups based at least in part on the determination of similarity is a second classification, the second classification responsive to the determining that the extraction rule does not exist (Pg. 139. See Step 5 or alternatively Step 6. Step 5 discloses the “delayed rule based source type association.” The examiner notes, importantly, that this step is after it is determined that the event in question is not a “previously seen signature.” In fact, Splunk discloses that “[t]his is a useful ‘catch-all’ for source types, in case Splunk missed any with intelligent matching…” Logically, with the context of the previous limitation, the claimed “second classification” is the application of these delayed rules. That is, because the “new” pattern was not “caught” by the first rules, it is caught by Splunk’s “delayed rules” and this, indeed, is “responsive to the determining that the extraction rules does not exist” as is required.). 
With respect to Claim 33, Splunk teaches reclassifying the event segments into a plurality of groups until a successful set of extraction rules is identified, the successful set of extraction rules is being a set satisfying a predefined criterion for extracting sample data in the sample (Splunk Pg. 139 “…If Splunk is unable to assign a source type for the event using the preceding methods, it creates a new source type for the event signature (see Step 4, above). Splunk stores learned pattern information in sourcetypes.conf.” The examiner notes that any or all of steps 1-5 are considered “the preceding methods” and, in addition, any or all of steps 1-5 teach the functionality encompassed by “reclassifying”. In addition, creating a new source type for the new event pattern teaches “…until a successful set of extraction rules is identified.” Further still, the “predefined criterion” is the signature and/or source type of the “radically new pattern.”). 
Storing the successful set of extraction rules as an extraction model (Splunk Pg. 139 “…If Splunk is unable to assign a source type for the event using the preceding methods, it creates a new source type for the event signature (see Step 4, . 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 5-6 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Splunk Getting Data In Manual Version 4.2.2 (NPL 2011, hereafter “Splunk”) in view of Neeman et al (US 8,751,486).

With respect to Claim 5, Splunk teaches wherein classifying includes automatically identifying one or more fields in an event segment by matching patterns associated with one or more known fields... (Splunk Pg. 153 "Train Splunk's source type autoclassifier…Autoclassification training enables Splunk to classify future event data with similar patterns as specific source type. This can be useful when Splunk is indexing directories that contains data with a mix of source types..." The examiner notes that in addition to being able to train a user's specific source types, Splunk discloses on Pgs. 154-158 various source types that the autoclassifier is "pre-trained" to classify. Pg. 138-139 especially top of Pg. 139 "Splunk uses automatic source type recognition to match similar-looking files and, through that, assign a source type. It calculates signatures for patterns in the first few thousand lines of any file or stream of network input. These signatures identify things like repeating word patterns, punctuation patterns, line length, and so on. When Splunk calculates a signature, it compares it to previously seen signatures.” The examiner notes that comparing signatures (i.e. patterns) to “previously seen signatures” (i.e. known patterns) teaches the claim language.). 
Splunk, however, does not explicitly disclose...of a late-binding schema. 

Neeman, however, does teach...of a late-binding schema (Neeman teaches late-binding schema Col. 6 Lines 0-15 "Schema that applies structure to the data in the unstructured data store may be applied at the time a search is performed. As used herein, "schema" is a set of fields that a query can use to specify criteria for what events should be returned in response to the query. In some configuration a schema is not applied until the time a search is performed. This process is referred to herein as a "late binding schema."...In some configurations, a schema (in this case, a late binding schema) may be applied at search time to extract values from the fields from events to identify which events meet field criteria specified in the search." The examiner notes that using this particular schema a user or system making a query can specify criteria for what events should be returned. These criteria are patterns for which the system should look for and therefore reads on “matching patterns.”). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the field extraction as taught by Splunk modified with the explicit teaching of a late-binding schema as taught by 
The examiner notes the definition given in Neeman of what a “late binding schema” is, and indeed what the instant specification supports as the definition. That is, a “late-binding schema” is “a set of fields that a query can sue to specify criteria for what events should be returned…at search time.” 
Under this definition, the examiner submits that, in the alternative, Splunk teaches the claim language as well. That is, Splunk teaches…of a late-binding schema (Splunk Pg. 164 “When Splunk creates field names, it applies the following rules to all extracted fields, whether they are extracted at index-time or search-time…” Because, according to the above disclosure, fields can be extracted according to rules at “search time”, based on the above definition, Splunk teaches the claim language as well. While, not necessarily relied upon for the above rejection, the examiner notes this interpretation and teaching for clarity of record.). 

With respect to Claim 6, the combination of Splunk and Neeman teach wherein classifying includes automatically identifying one or more fields in an event segment by matching patterns associated with one or more known fields of a late-binding schema, the known fields having an association with a domain category (Splunk Pg. 153 "Train Splunk's source type autoclassifier…Autoclassification training enables Splunk to classify future event data with similar patterns as specific source type. This can be useful when Splunk is indexing directories that contains data with a mix of source types..." The examiner notes that in addition to being able to train a Splunk uses automatic source type recognition to match similar-looking files and, through that, assign a source type. It calculates signatures for patterns in the first few thousand lines of any file or stream of network input. These signatures identify things like repeating word patterns, punctuation patterns, line length, and so on. When Splunk calculates a signature, it compares it to previously seen signatures.” The examiner notes that comparing signatures (i.e. patterns) to “previously seen signatures” (i.e. known patterns) teaches the claim language. Pg. 167-168 "Splunk scans it for header field information, which it then uses for field extraction. If a source has the necessary header information, Splunk extracts fields using delimiter-based key/value extraction. Splunk does this at index time by changing the source type of the incoming data...Next, it creates a stanza for this new source type...defines a delimiter-based extraction rule for the static table header...and then ties that extraction rule to the new source type...Finally, at search time, Splunk applies field transform to events from the source..." The examiner notes the disclosed functionality of “tying” an extraction rule to a source type. According to the instant specification, for example Paragraph [0226], a “domain category” is, for example, “…classes, categories, or types of subject matter domains that may associated with directly or indirectly with or among a data source, source type, or eventtype, for example…” Thus, when Splunk discloses that the extraction rule (which, at least in part, is responsible for extracting fields) is “tied” to a source type, Splunk necessarily discloses that the known fields “have association” with a “domain category” as is required by the claim language.
 As used herein, "schema" is a set of fields that a query can use to specify criteria for what events should be returned in response to the query. In some configuration a schema is not applied until the time a search is performed. This process is referred to herein as a "late binding schema."...In some configurations, a schema (in this case, a late binding schema) may be applied at search time to extract values from the fields from events to identify which events meet field criteria specified in the search." The examiner notes that using this particular schema a user or system making a query can specify criteria for what events should be returned. These criteria are patterns for which the system should look for and therefore reads on “matching patterns.”   ). 

With respect to Claim 8, the combination of Splunk and Neeman teach wherein the determination of similarity includes a cluster analysis (Neeman Col. 10 Lines 51-54 “Source type is a concept that is used to group similar data sources, and is determined by looking at rules defined for the source or via a clustering algorithm on data content.” The examiner notes that grouping similar data sources by, for example, a “clustering algorithm” teaches the claim language.).

Claims 9, 21, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Splunk Getting Data In Manual Version 4.2.2 (NPL 2011, hereafter “Splunk”) in view of Carasso et al. (US 2014/0207784).
With respect to Claim 9, Splunk teaches all of the limitations of Claim 1 as described above. 
Splunk, however, does not appear to explicitly disclose wherein the determination of similarity includes a cluster analysis based at least in part on one or more from among connectivity-based clustering, centroid-based clustering, distribution-based clustering, density-based clustering, canopy clustering, K-means clustering, subspace clustering, and correlation clustering.
Carasso does teach wherein the determination of similarity includes a cluster analysis based at least in part on one or more from among connectivity-based clustering, centroid-based clustering, distribution-based clustering, density-based clustering, canopy clustering, K-means clustering, subspace clustering, and correlation clustering (Carasso Pg. 10. Paragraph [0100] "…a variety of clustering techniques may be applied to the retrieved records. In some embodiments, the clustering techniques used might be an unsupervised clustering technique, where the task is to develop a classification and sorting of the records without regard to a predefined number of groups or cluster to be generated. Such unsupervised clustering techniques seek to identify similarities between portions of data within the records in order to determine whether the records can be characterized as forming a group. Such groups are typically also known as clusters… “any of variety of unsupervised clustering techniques may be employed, including but not limited to k-means, kx-trees, density estimation, self-organizing map modeling (SOM), adaptive resonance theory models (ART), as well as other feature extraction techniques. Further, the similarity may be based on any one or more fields or portions of data within the records."). 

	 With respect to Claim 21, the combination of Splunk and Carasso teach wherein the method is further performed by the computer system to deliver a response time of about 20 seconds or less (Carasso See Fig.3 - Fig. 4. which display at least two configurations of a computer system. Any or all of the disclosed computer systems teach “the computer system.” The examiner further notes and references Steve Henty’s article on UI response times. Henty notes that UI interactions in the range of 2-10 seconds “represent the boundary between a “responsive” system and a “slow” system.” Based on this reference a person of ordinary skill in the art would realize that it would have been obvious to have a response time of “around 5 seconds or less” because that would make the system feel responsive to a user. The examiner further notes that, by the way the claim is worded, the only functional requirement is that the method of claim 1 is performed by a computer system. The specific response time is the applicant “intended use.” As understood by the examiner, the only functional requirement of the claim is the “the computer system” is capable of “delivering a response time of about 20 seconds or less.”).

With respect to Claim 22, the combination of Splunk and Carasso teach wherein the method is further performed by the computer system to deliver a response time of about 5 seconds or less (Carasso See Fig.3 - Fig. 4. which display at least two configurations of a computer system. Due to the indefiniteness of the claim, any or all of these computer systems reads on a computer system with sufficient speed to deliver an acceptable response time. The examiner notes and references Steve Henty’s article on UI response times. Henty notes that UI interactions in the range of 2-10 seconds “represent the boundary between a “responsive” system and a “slow” system.” Based on this reference a person of ordinary skill in the art would realize that it would have been obvious to have a response time of “around 5 seconds or less” because that would make the system feel responsive to a user.).

Claims 7, 10, 25, and 29 are rejected under 35 U.S.C. 103 as being unpatentable over Splunk Getting Data In Manual Version 4.2.2 (NPL 2011, hereafter “Splunk”) in view of Srinivasa et al. (US 2003/0115189). 

With respect to Claim 7, Splunk teaches all of the limitations of Claim 1 as described above. 
Splunk does not explicitly disclose wherein the determination of similarity includes a statistical classification. 
Srinivasa does teach wherein the determination of similarity includes a statistical classification (Paragraph [0052 "In practice a larger number of dimensions and statistical classification algorithms could be used for form a set of decision surfaces a member or non-member of a particular event category." Determining a member or non-member teaches the “determination of similarity” and, as disclosed in Srinivasa, this is done with at least “statistical classification algorithms” as is required.). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the determination of similarity as taught by Splunk modified with the statistical classification as taught by Srinivasa because using statistical classification would give a more accurate representation of the class within an event subspace (Srinivasa Paragraph [0053]). 

With respect to Claim 10, the combination of Splunk and Srinivasa teach classifying includes automatically identifying one or more fields in an event segment (Splunk Pg. 153 "Train Splunk's source type autoclassifier…Autoclassification training enables Splunk to classify future event data with similar patterns as specific source type. This can be useful when Splunk is indexing directories that contains data with a mix of source types..." The examiner notes that in addition to being able to train a user's specific source types, Splunk discloses on Pgs. 154-158 various source types that the autoclassifier is "pre-trained" to classify. The examiner notes that each source type teaches at least one of the claimed "group." And because there are numerous groups as well as the ability to train user specific source types, Splunk necessarily teaches "two or more groups" as is required. The examiner further notes, for clarity, that, by definition, a classifier groups things. So, when the disclosed Splunk autoclassifier classifies or "recognizes" new event data as a particular source type, it is 
The combination of Splunk and Srinivasa teach the determination of similarity includes a statistical classification (Srinivasa Paragraph [0052 "In practice a larger number of dimensions and statistical classification algorithms could be used for form a set of decision surfaces for automatically classifying a test page as a member or non-member of a particular event category.").

With respect to Claim 25, the combination of Splunk and Srinivasa teach wherein the determination of similarity includes a statistical classification (Srinivasa Paragraph [0052 "In practice a larger number of dimensions and statistical classification algorithms could be used for form a set of decision surfaces for automatically classifying a test page as a member or non-member of a particular event category."). 
With respect to Claim 29, the combination of Splunk and Srinivasa teach wherein the determination of similarity includes a statistical classification (Srinivasa Paragraph [0052 "In practice a larger number of dimensions and statistical classification algorithms could be used for form a set of decision surfaces for automatically classifying a test page as a member or non-member of a particular event category."). 

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Splunk Getting Data In Manual Version 4.2.2 (NPL 2011, hereafter “Splunk”) in view of Cheok ("Wireshark: A guide to Color My Packets", NPL 2014).

With respect to Claim 18, Splunk teaches all of the limitations of Claim 1 as discussed above. 
Splunk further teach wherein storing the extraction rules is conditioned, at least in part, on receiving an indication of acceptance based on user interaction with a user interface displaying a representation of one or more of the extraction rules…( Pg. 127-128 shows the process of training Splunk to recognize and extract timestamps from an event. Especially note Step 3 “Splunk displays the first line of your sample and asks you to teach it the values for the timestamp…” In the next step (step 4), a user enters the values of the timestamp that are to be learned, then, “…If the values are sufficient, Splunk displays: “Learned pattern. If you are satisfied that the timestamps formats have been learned, hit control-c…” Finally, step 5 Splunk displays the “regex” for the specified and learned timestamp. The user hitting control-c teaches the claimed “user interaction” with a “indication of acceptance.” Further the displaying of the Regex rule for the timestamp teaches displaying the extraction rules. Thus, Splunk teaches the claim language.).
Splunk, however, does not appear to explicitly disclose… the representation including a depiction of an event segment having one or more field portions color-coded in accordance with a particular extraction rule. 
…the representation including a depiction of an event segment having one or more field portions color-coded in accordance with a particular extraction rule ( See entire reference but especially Pg. 4 Section 2.3 "The Wireshark Display filter is temporarily applied to locate and display specific packets based on defined protocol field name(s). See Figure 5 Pg. 5 "Creating a display filter via the Expression…button." The examiner notes that the expression reads on claimed extraction rule.). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the extraction rules and interface as taught by Splunk modified with the color coding as taught by Cheok because this would give a visual representation of what different segments within an event mean, thus allowing for faster human analysis (Cheok Pg. 10 Fig. 13). 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FEN TAMULONIS whose telephone number is (571)272-0934.  The examiner can normally be reached on 7:30AM-5:30PM MON-FRI EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/F.C.T./Examiner, Art Unit 2126       
                                                                                                                                                                                                    
/MICHAEL J HUNTLEY/Primary Examiner, Art Unit 2116