DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Continued Examination Under 37 CFR 1.114
2.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office Action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on January 13, 2021 has been entered.

 3.	Applicant’s response filed on January 13, 2021 has been considered.  Claims 1, 4, 11, 14, 21, 24, 34, 37, and 40 have been amended. Claims 1, 4, 6, 8-11, 14, 16, 18-21, 24, 26, 28-30, and 34-42 are pending. 

Claim Objections
4.	Claims 1, 11, and 21 are objected to because of the following informalities 
Referring to claims 1, 11, 21:
	Claims 1, 11, and 21 recite “determining that a third plurality of events from the second plurality of events comprises the notable event, wherein the value extracted from each event of the third plurality of events during execution of the search query satisfies the condition included in the search query”, where the hi-lighted ‘the third plurality of events’ should be ‘the second plurality of events’, according to the claim context.
 
Claim Rejections - 35 USC § 103

5.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


6.	Claims 1, 4, 6, 8-11, 14, 16, 18-21, 24, 26, 28-30, and 34-42  are rejected under 35 U.S.C. 103 as being unpatentable over Huang et al. (U.S. 2013/0073573 A1), hereinafter “Huang”, in view of Yu et al.(U.S. 2011/0153604 A1), hereinafter “Yu”, further  in view of Gula et al. (U.S. 2006/0161816 A1), hereinafter “Gula”.
Referring to claims 1, 11, 21:
	i.	Huang teaches:
 A computer-implemented method for identifying security threats involving a component in an information technology (IT) environment, the method comprising (see Huang, fig. 5):
 obtaining from the component, machine data, wherein the machine data is obtained over a network in the IT environment and wherein the machine data includes a record of activity of the component in the IT environment over a period of time (see Huang, fig. 4, 410 ‘receive log data’); 
  generating a first plurality of first events from the machine data, wherein each event of the first plurality of events provides a single record of activity associated with a single point in time, and wherein generating each event of the plurality of events includes (see Huang, fig. 4, 420 ‘separate log data into events; determine when each event received’ [i.e., generating a first plurality of events ] ): 
           segmenting the machine data to obtain the event, wherein segmenting includes dividing the machine data into a plurality of segments, and wherein a segment from the plurality of segments represents the event (see Huang, fig. 4, 420 ‘separate log data into events; determine when each event received’),
           determining, using the machine data, a timestamp for the event, wherein the timestamp indicates the single point in time, associating the timestamp with the event ( see Huang, fig. 4, 420 ‘separate log data into events; determine when each event received’), and 

           receiving a request to generate a first display, wherein the first display includes elements enabling input of queries to search the field-searchable data store (see Huang, fig. 5, 510 ‘receive query request’; [0043] ‘The graphics adapter 212 displays’);
 receiving input entered using the first display, wherein the input including includes a search query specifying criteria for notable events, and wherein the search query includes (see Huang, fig. 5, 514 ‘parse query request and create query pipeline’):	
                       a field associated with a type of information contained in one or more events stored in the field-searchable data store, wherein the field is associated with an extraction rule used, during execution of the search query, to extract values for the field from the one or more events (see Huang, [0071] ‘failed login time="the last two hours"|rex "extract srcIP"|top srcIP|head 5 [i.e., where ‘failed login time’, ‘srcIP’ corresponding to ‘a field’ ]’),
             a condition for the values extracted using the extraction rule (see Huang, [0071] ‘failed login time="the last two hours"|rex "extract srcIP"|top srcIP|head 5 [i.e., where ‘the last two hours’ corresponding to ‘a condition’ ]’), and
                        a time range (see Huang, [0071] ‘failed login time="the last two hours"|rex "extract srcIP"|top srcIP|head 5 [i.e., where ‘the last two hours’ corresponding to ‘a time range’ ]’);  
  executing, the search query to identify a notable event, wherein executing the search query includes (see Huang, fig. 5; [0072] ‘The above query request includes four separate query operators…regular expression’):
              identifying a second plurality of events from the first plurality of events that each have a respective timestamp that is within the time range included in the search query, wherein at least one event of the second plurality of events corresponds to: a network message, an execution of a program or script, an indication of a fault exception, or an indication of an unhandled interrupt (see Huang, [0072] ‘The first operator "failed login time=`the last two hours`" indicates search for `failed login" attempts for last two hours at a specified event source [i.e., where ‘failed login attempts 
               extracting a value from each event of the second plurality of events, wherein the value is extracted using the extraction rule, and wherein the value is associated with the field included in the search query (see Huang, [0072] ‘The second operator (rex "extract srcIP") is a regular expression for extracting a first value (here, source IP addresses) from events obtained by the first operator (here, failed login attempts that occurred during the last two hours [i.e., the second plurality of events ]).’), and 
               determining that a third plurality of events from the second plurality of events comprises the notable event, wherein the value extracted from each event of the third plurality of events during execution of the search query satisfies the condition included in the search query (see Huang, [0072] ‘The third operator ("top srcIP") [i.e., where ‘top srcIP’ corresponding to determining a third plurality of events from the second plurality of events that satisfies the condition ] operator sorts matching entries by a field in the event (in this case, source IP address) [i.e., where matching source IP address in the event corresponding to ‘satisfies the condition included in the search query ] by matching counts.’), and 
determining a type of potential security issue associated with the notable event, wherein the type of potential security issue is determined based on the third plurality of events that comprise the notable event, and wherein the type of potential security issue poses a threat to the operational performance or security of the IT environment (see Huang, fig. 5, 538 ‘render query result’; [0012] ‘enables aggregation, correlation, detection, and investigative tracking of suspicious network activities.  The system also supports response management, ad-hoc query resolution, reporting and replay for forensic analysis, and graphical visualization of network threats and activity.’); and
 	 transmitting output to generate a second display, wherein the second display includes graphical elements representing the notable event and the type of potential security issue, and wherein the graphical elements include a representation of the time range included in the search query (see Huang, fig. 5, 538 ‘render query result’; [0043] ‘The graphics adapter 212 displays’).  

Huang does not explicitly disclose not including an event from the second plurality of events in the subset third plurality of events when the value extracted from the event does not satisfy the condition.  
ii.	Yu discloses the boundaries, and segmenting the event based on the identified boundaries (see Yu, [0037] ‘By performing this checking in these special cases, the events partitioning process [i.e., segmenting the event ] may be able to provide data chunks to the events parsing modules which may be known to begin with proper, meaningful "&lt;" characters [i.e., based on the identified boundaries ].’).
iii.	It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Yu into the system of Huang for segmenting the event based on the identified boundaries. Huang teaches “system is for collecting data from disparate devices across a computer network, normalizing the data to a common schema, and consolidating the normalized data.  The data ("events") can then be monitored, analyzed, and used for investigation and remediation in a centralized view.” (see Huang, [0012]). Therefore, Yu's teaching could enhanced the system of Huang, because using event boundaries facilitate identifying an event in an event log file.
iv.	Gula discloses not including an event from the second plurality of events in the subset third plurality of events when the value extracted from the event does not satisfy the condition (see Gula, fig. 12, Matching CIDR ’61.232.99.116’ [i.e., where ’CIDR 61.232.99.116’ corresponding to ‘the condition’ ], a list of specific events with source IP address or destination IP address matching ’61.232.99.116 [i.e., not including an event from the second plurality of events in the third plurality of events when the value extracted from the event does not satisfy the condition ’61.232.99.116’]; [0094] ‘Specific events tool 1200 lists specific events for a particular IP address or network range.’)
v.	It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Gula into the system of Huang for not including an event from the second plurality of events in the subset third plurality of events when the value extracted from the event does not satisfy 
Referring to claims 4, 14, 24:
		Huang, Yu, and Gula further disclose:
           	wherein extracting the value from each    event    of the second    plurality of events    includes    using    a late-binding    schema, wherein the late-binding schema is a schema applied to events during execution of the search query. (see Huang, [0072] ‘regular expression [i.e., a late-binding schema ]’).
Referring to claims 6, 16, 26:
	Huang, Yu, and Gula further disclose:
           a server, a device, database, etc. (see Huang, [0012] ‘devices across a computer network’). 
 Referring to claims 8, 18, 28:
	Huang, Yu, and Gula further disclose:
           receiving machine data generated by at least one component in the IT environment (see Huang, [0016] ‘A data source 110 is a network node, which can be a device or a software application.  Examples of data sources 110 include intrusion detection systems (IDSs),…’);
           wherein generating the event data further includes generating event data based on the machine data (see Huang, fig. 3A, 310 ‘event receiver’); and
           wherein the machine data includes one or more of: an operating system log, an application server log, a web server log, a firewall log, a software application log, and an activity log (see Huang, fig. 3A, 340 ‘log data’).
Referring to claims 9, 19, 29:
 	Huang, Yu, and Gula further disclose the indexer (see Huang, [0048] ‘IndexID’; [0082] ‘indexing operations’). 
Referring to claims 10, 20, 30:
	Huang, Yu, and Gula further disclose:
           in response to executing the search query including the search criteria to identify the at least one notable event, generating an alert in response to identifying the at least one notable event (see Huang, [0028] ‘alerts’). 
Referring to claims 34, 37, 40:
 	Huang, Yu, and Gula further disclose:
           wherein the value is a first value, wherein the search query specifies one or more additional fields in the machine data and additional values for the one or more additional fields, wherein executing the search query further includes extracting, for each event of the second plurality of events, one or more second values from the event, and wherein determining the type of potential security issue is based on a combination of first value and the one or more second values (see Huang, [0050] ‘In one embodiment, a field of interest is not an event field per se.  Instead, it is a "derived" value that is determined based on the values stored in one or more fields of an event [i.e., ‘based on a combination of first value and the one or more second values’].’). 
Referring to claims 35, 38, 41:
	Huang, Yu, and Gula further disclose:
                      wherein the search query is executed each time the machine data is obtained or at a periodic interval (see Gula, [0070] ‘provided automatically at periodic intervals’).
  	It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Gula into the system of Huang to execute queries periodically.  Huang teaches “system is for collecting data from disparate devices across a computer network, normalizing the data to a common schema, and consolidating the normalized data.  The data ("events") can then be monitored, analyzed, and used for investigation and remediation in a centralized view.” (see Huang, [0012]). Therefore, Gula's teaching could enhanced the system of Huang, because executing queries periodically provides timely reports.
Referring to claims 36, 39, 42:
	Huang, Yu, and Gula further disclose:
.

Response to Arguments
7.	Applicant’s arguments filed on January 13, 2021 have been considered. Independent claims have been amended to include new limitations. However, upon further consideration, a new ground(s) of rejection is being made in view of Huang.  Applicant’s arguments are moot due to the new ground(s) of rejection.
 
Conclusion

8.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
(a)	Syrowitz; Clinton et al. (US 20120124064 A1) disclose transformation of regular expressions;
(b)	Watson; Greg et al. (US 8812480 B1) disclose Targeted search system with de-obfuscating functionality;
(c)	Overcash; Kevin et al. (US 20080034425 A1) disclose system and method of securing web applications across an enterprise;
(d)	Ahuja; Ratinder Paul Singh et al. (US 8700561 B2) disclose System and method for providing data protection workflows in a network environment;
(e)	Tonsing; Johann Heinrich et al. (US 20090204723 A1) disclose System and Method for Processing and Forwarding Transmitted Information;
(f)	Yourtee; Kendra A. et al. (US 8850263 B1) disclose Streaming and sampling in real-time log analysis;
(g)	PANDYA; Ashish A. (US 20110029549 A1) disclose signature search architecture for programmable intelligent search memory.

 	 9. 	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peiliang Pan whose telephone number is (571)272-5987.  The examiner can normally be reached on Monday-Friday 8:00 am - 5:00 pm EST.

            	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/PEILIANG PAN/
Examiner, Art Unit 2492

/TAE K KIM/Primary Examiner, Art Unit 2492