DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/14/2019 was filed after the mailing date of the instant application.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-30 are rejected on the ground of non-statutory double patenting as being unpatentable over Claims 1-30 of U.S. Patent No. 10,339,149. Although the claims at issue are not identical, they are not patentably distinct from each other because they are claiming similar subject matter as showed in the Claims Comparison Table below.  It would have been obvious to a person of ordinary skill in the art at the time the invention was made to modify, add or omit the additional elements of claims 1, 18 and 24 to arrive at the claims 1, 18 and 24 of the instant application because the person would have realized that the remaining element would perform the same functions as before. "Omission of element and its function in combination is obvious expedient if the remaining elements perform same functions as before." See In re Karlson (CCPA) 136 USPQ 184, decide Jan 16, 1963, Appl. No. 6857, U. S. Court of Customs and Patent Appeals.
Claims Comparison Table
Instant Application No. 16/396,569

U.S. Patent No. 10,339,149
1. (similar claims 18 and 24) A computer-implemented method, comprising: 
receiving, at a computing device, a query for searching a set of events stored in a data store, the set of events indicative of security or performance aspects of one or more information technology systems; 
executing the query against the set of events to generate a subset of events; 

identifying a field that exists in one or more events of the subset of events; 
determining a number corresponding to how many unique values exist for the field among the subset of events; 
causing display of (i) the number corresponding to how many unique values exist for the field and (ii) a field name by which the field can be referenced in queries.

1.  (similar claims 18 and 24) A method, comprising: 
receiving a query for searching a set of field searchable events stored in a data store, the set of field searchable events indicative of security or performance aspects of one or more information technology systems; 
executing the query against the set of field searchable events to generate a subset of events; 
identifying a field that exists in one or more events of the subset of events;  
determining a number corresponding to how many unique values exist for the field among the subset of events;  
causing concurrent display of (i) the number corresponding to how many unique values exist for the field and (ii) a field name by which the field can be referenced in queries, thereby improving the performance and efficiency of communicating information from complex search results to a user;  
wherein the method is performed by one or more computing devices.

wherein each event in the set of events is associated with a timestamp, the set of events comprising field searchable events.

2. (similar claims 19 and 25) The method of claim 1, wherein each event in the set of field searchable events is associated with a timestamp.
3. (similar claims 20 and 26)  The method of claim 1, wherein each event in the set of events includes machine data reflecting activity in the one or more information technology systems.

3. (similar claims 20 and 26) The method of claim 1, wherein each event in the set of field searchable events includes machine data reflecting activity in the one or more information technology systems.

4. (similar claim 26) The method of claim 1, wherein at least one event in the set of events includes log data reflecting activity in the one or more information technology systems.

4.  (similar claims 20 and 26) The method of claim 1, wherein at least one event in the set of field searchable events includes log data reflecting activity in the one or more information technology systems.

5. (similar claim 26) The method of claim 1, wherein at least one event in the set of events includes unstructured data.

5.  (similar claims 20 and 26) The method of claim 1, wherein at least one event in the set of field searchable events includes unstructured data.

6. (similar claims 21 and 27) The method of claim 1, wherein the query for searching the set of events includes a criterion for evaluating values for the field that exists in one or more events in the set of events.

6. (similar claims 21 and 27) The method of claim 1, wherein the query for searching the set of field searchable events includes a criterion for evaluating values for the field that exists in one or more events in the set of field searchable events.

7. The method of claim 1, wherein the query for searching the set of events includes a criterion requiring that matching events have a particular keyword.

7.  The method of claim 1, wherein the query for searching the set of field searchable events includes a criterion requiring that matching events have a particular keyword.
8. (similar claims 22 and 28) The method of claim 1, wherein each of the events in the set of events is associated with a timestamp, and wherein the query for searching the set of events is associated with a time range used to search the set of events.

wherein each of the events in the set of field searchable events is associated with a timestamp, and wherein the query for searching the set of field searchable events is associated with a time range into which matching events must fall.

further comprising: causing display of information about one or more events that have the field and that are in the subset of events.

9.  The method of claim 1, further comprising: causing display of information about one or more events that have the field and that are in the subset of events.
10. (similar claims 23 and 29) The method of claim 1, further comprising: causing display of information about two or more events that have the field and that are in the subset events, wherein the two or more events that have the field are displayed in a sorted order corresponding to timestamps associated with the two or more events.

10. (similar claims 23 and 29)  The method of claim 1, further comprising: causing display of information about two or more events that have the field and that are in the subset events, wherein the two or more events that have the field are displayed in a sorted order corresponding to timestamps associated with the two or more events.
11. (similar claim 30) The method of claim 1, further comprising: causing display of at least a second number corresponding to how many unique values exist among the subset of events for a second field that exists in one or more events of the subset of events.

11. (similar claim 30) The method of claim 1, further comprising: causing display of at least a second number corresponding to how many unique values exist among the subset of events for a second field that exists in one or more events of the subset of events.
12. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name is displayed in a field picker.

12.  The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name is displayed in a field picker.
13. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in the query is displayed in a field picker.

13.  The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in the query is displayed in a field picker.
14. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries is displayed in a field picker, and wherein the method further comprises: causing display of information about one or more events in the subset of events; receiving from a user a selection of a field name through the field picker; hiding from the display at least one previously displayed event that does not contain the selected field.

wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries is displayed in a field picker, and wherein the method further comprises: causing display of information about one or more events in the subset of events;  receiving from a user a selection of a field name through the field picker;  hiding from the display at least one previously displayed event that does not contain the selected field.
wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries is displayed in a field picker for specifying field criteria to further filter the subset of the events.

15.  The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries is displayed in a field picker for specifying field criteria to further filter the subset of the events.
16. The method of claim 1, further comprising: causing display of a histogram that indicates how many events in the subset of events are associated with a timestamp falling within each of a plurality of time ranges.

16.  The method of claim 1, further comprising: causing display of a histogram that indicates how many events in the subset of events are associated with a timestamp falling within each of a plurality of time ranges.
17. The method of claim 1, wherein causing display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries causes display of the number and the field name in a vicinity of one or more other displayed numbers and their associated field names.

17.  The method of claim 1, wherein causing display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries causes display of the number and the field name in a vicinity of one or more other displayed numbers and their associated field names.



Claims 1-30 are rejected on the ground of non-statutory double patenting as being unpatentable over Claims 1-30 of U.S. Patent No. 10,061,821. Although the claims at issue are not identical, they are not patentably distinct from each other because they are claiming similar subject matter as showed in the Claims Comparison Table below.  It would have been obvious to a person of ordinary skill in the art at the time the invention was made to modify, add or omit the additional elements of claims 1, 18 and 24 to arrive at the claims 1, 18 and 24 of the instant application because the person would have realized that the remaining element would perform the same functions as before. "Omission of element and its function in combination is obvious expedient if the remaining elements perform same functions as before." See In re Karlson (CCPA) 136 USPQ 184, decide Jan 16, 1963, Appl. No. 6857, U. S. Court of Customs and Patent Appeals.
Claims Comparison Table
Instant Application No. 16/396,569

U.S. Patent No. 10,061,821
1. (similar claims 18 and 24) A computer-implemented method, comprising: 
receiving, at a computing device, a query for searching a set of events stored in a data store, the set of events indicative of security or performance aspects of one or more information technology systems; 
executing the query against the set of events to generate a subset of events; 
identifying a field that exists in one or more events of the subset of events; 
determining a number corresponding to how many unique values exist for the field among the subset of events; 
causing display of (i) the number corresponding to how many unique values exist for the field and (ii) a field name by which the field can be referenced in queries.

1. (similar claims 18 and 24) A method, comprising: 
receiving a query for searching a set of field searchable events stored in a data store, the set of field searchable events indicative of security or performance aspects of one or more information technology systems;  
causing concurrent display of (i) the number corresponding to how many unique values exist for the field along with a field name by which the field can be referenced in a query, and (ii) one or more other field names that each correspond to a field existing in one or more events in the subset of events and, for each other field name of the one or more other field names, an associated number corresponding to how many unique values exist for the corresponding field in the subset of events, thereby improving the performance and efficiency of communicating information from complex search results to a user;  wherein the 
wherein each event in the set of events is associated with a timestamp, the set of events comprising field searchable events.

2.  (similar claims 19 and 25) The method of claim 1, wherein each event in the set of field searchable events is associated with a timestamp.
3. (similar claims 20 and 26)  The method of claim 1, wherein each event in the set of events includes machine data reflecting activity in the one or more information technology systems.

3.  The method of claim 1, wherein each event in the set of field searchable events includes machine data reflecting activity in the one or more information.
4. (similar claim 26) The method of claim 1, wherein at least one event in the set of events includes log data reflecting activity in the one or more information technology systems.

4. (similar claims 20 and 26) The method of claim 1, wherein at least one event in the set of field searchable events includes log data reflecting activity in the one or more information technology systems.
5. (similar claim 26) The method of claim 1, wherein at least one event in the set of events includes unstructured data.

5.  (similar claim 26) The method of claim 1, wherein at least one event in the set of field searchable events includes unstructured data.
6. (similar claims 21 and 27) The method of claim 1, wherein the query for searching the set of events includes a criterion for evaluating values for the field that exists in one or more events in the set of events.

6.  (similar claims 21 and 27) The method of claim 1, wherein the query for searching the set of field searchable events includes a criterion for evaluating values for a field that exists in one or more events in the set of field searchable events.
7. The method of claim 1, wherein the query for searching the set of events includes a criterion requiring that matching events have a particular keyword.

7.  The method of claim 1, wherein the query for searching the set of field searchable events includes a criterion requiring that matching events have a particular keyword.
8. (similar claims 22 and 28) The method of claim 1, wherein each of the events in the set of events is associated with a timestamp, and wherein the query for searching the set of events is associated with a time range used to search the set of events.

8. (similar claims 22 and 28) The method of claim 1, wherein each of the events in the set of field searchable events is associated with a timestamp, and wherein the query for searching the set of field searchable events is associated with a time range into which matching events must fall.

further comprising: causing display of information about one or more events that have the field and that are in the subset of events.

9.  The method of claim 1, further comprising: causing display of information about one or more events that have the field and that are in the subset of events. 

10. (similar claims 23 and 29) The method of claim 1, further comprising: causing display of information about two or more events that have the field and that are in the subset events, wherein the two or more events that have the field are displayed in a sorted order corresponding to timestamps associated with the two or more events.

10. (similar claims 23 and 29)  The method of claim 1, further comprising: causing display of information about two or more events that have the field and that are in the subset events, wherein the two or more events that have the field are displayed in a sorted order corresponding to timestamps associated with the two or more events.
11. (similar claim 30) The method of claim 1, further comprising: causing display of at least a second number corresponding to how many unique values exist among the subset of events for a second field that exists in one or more events of the subset of events.

11. (similar claim 30) The method of claim 1, further comprising: causing display of at least a second number corresponding to how many unique values exist among the subset of events for a second field that exists in one or more events of the subset of events.
12. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name is displayed in a field picker.

12.  The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name is displayed in a field picker.
13. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in the query is displayed in a field picker.

13.  The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in the query is displayed in a field picker.
14. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries is displayed in a field picker, and wherein the method further comprises: causing display of information about one or more events in the subset of events; receiving from a user a selection of a field name through the field picker; hiding from the display at least one previously displayed event that does not contain the selected field.

wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in the query is displayed in a field picker, and wherein the method further comprises: causing display of information about one or more events in the subset of events;  receiving from a user a selection of a field name through the field picker;  hiding from the display at least one previously displayed event that does not contain the selected field.
15. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries is displayed in a field picker for specifying field criteria to further filter the subset of the events.

15.  The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in the query is displayed in a field picker for specifying field criteria to further filter the subset of the events.
16. The method of claim 1, further comprising: causing display of a histogram that indicates how many events in the subset of events are associated with a timestamp falling within each of a plurality of time ranges.

16.  The method of claim 1, further comprising: causing display of a histogram that indicates how many events in the subset of events are associated with a timestamp falling within each of a plurality of time ranges.
17. The method of claim 1, wherein causing display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries causes display of the number and the field name in a vicinity of one or more other displayed numbers and their associated field names.

17.  The method of claim 1, wherein causing display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in the query causes display of the number and the field name in a vicinity of one or more other displayed numbers and their associated field names.



Claims 1-30 are rejected on the ground of non-statutory double patenting as being unpatentable over Claims 1-30 of U.S. Patent No. 9,430,574. Although the claims at issue are not identical, they are not patentably distinct from each other because they are claiming similar subject matter as showed in the Claims Comparison Table below.  It would have been obvious to a person of ordinary skill in the art at the time the In re Karlson (CCPA) 136 USPQ 184, decide Jan 16, 1963, Appl. No. 6857, U. S. Court of Customs and Patent Appeals.
Claims Comparison Table
Instant Application No. 16/396,569

U.S. Patent No. 9,430,574
1. (similar claims 18 and 24) A computer-implemented method, comprising: 
receiving, at a computing device, a query for searching a set of events stored in a data store, the set of events indicative of security or performance aspects of one or more information technology systems; 
executing the query against the set of events to generate a subset of events; 
identifying a field that exists in one or more events of the subset of events; 
determining a number corresponding to how many unique values exist for the field among the subset of events; 
causing display of (i) the number corresponding to how many unique values exist for the field and (ii) a field name by which the field can be referenced in queries.

1. (similar claims 18 and 24) A method, comprising: 
receiving a query for searching a set of field searchable events stored in a data store;  
executing the query against the set of field searchable events to generate a subset of events;  
identifying a field that exists in one or more events of the subset of events;  determining a number corresponding to how many unique values exist for the field among the subset of events;
causing concurrent display of (i) the number corresponding to how many unique values exist for the field along with a field name by which the field can be referenced in a query, and (ii) one or more other field names that each correspond to a field existing in one or more events in the subset of events and, for each other field name of the one or more other field names, an associated number corresponding of how many unique values exist for the corresponding field in the subset of events;  wherein the method is performed by one or more computing devices.
wherein each event in the set of events is associated with a timestamp, the set of events comprising field searchable events.

2. (similar claims 19 and 25) The method of claim 1, wherein each event in the set of field searchable events is associated with a timestamp.
3. (similar claims 20 and 26)  The method of claim 1, wherein each event in the set of events includes machine data reflecting activity in the one or more information technology systems.

3. (similar claims 20 and 26) The method of claim 1, wherein each event in the set of field searchable events includes machine data reflecting activity in an information technology environment. 

4. (similar claim 26) The method of claim 1, wherein at least one event in the set of events includes log data reflecting activity in the one or more information technology systems.

4. (similar claims 20 and 26) The method of claim 1, wherein at least one event in the set of field searchable events includes log data reflecting activity in an information technology environment.
5. (similar claim 26) The method of claim 1, wherein at least one event in the set of events includes unstructured data.

5.  (similar claims 20 and 26) The method of claim 1, wherein at least one event in the set of field searchable events includes unstructured data.

6. (similar claims 21 and 27) The method of claim 1, wherein the query for searching the set of events includes a criterion for evaluating values for the field that exists in one or more events in the set of events.

6. (similar claims 21 and 27) The method of claim 1, wherein the query for searching the set of field searchable events includes a criterion for evaluating values for a field that exists in one or more events in the set of field searchable events.

7. The method of claim 1, wherein the query for searching the set of events includes a criterion requiring that matching events have a particular keyword.

7.  The method of claim 1, wherein the query for searching the set of field searchable events includes a criterion requiring that matching events have a particular keyword.
8. (similar claims 22 and 28) The method of claim 1, wherein each of the events in the set of events is associated with a timestamp, and wherein the query for searching the set of events is associated with a time range used to search the set of events.

8. (similar claims 22 and 28) The method of claim 1, wherein each of the events in the set of field searchable events is associated with a timestamp, and wherein the query for searching the set of field searchable events is associated with a time range into which matching events must fall. 

further comprising: causing display of information about one or more events that have the field and that are in the subset of events.

9.  The method of claim 1, further comprising: causing display of information about one or more events that have the field and that are in the subset of events.
10. (similar claims 23 and 29) The method of claim 1, further comprising: causing display of information about two or more events that have the field and that are in the subset events, wherein the two or more events that have the field are displayed in a sorted order corresponding to timestamps associated with the two or more events.

10. (similar claims 23 and 29) The method of claim 1, further comprising: causing display of information about two or more events that have the field and that are in the subset events, wherein the two or more events that have the field are displayed in a sorted order corresponding to timestamps associated with the two or more events.
11. (similar claim 30) The method of claim 1, further comprising: causing display of at least a second number corresponding to how many unique values exist among the subset of events for a second field that exists in one or more events of the subset of events.

11. (similar claim 30)  The method of claim 1, further comprising: causing display of at least a second number corresponding to how many unique values exist among the subset of events for a second field that exists in one or more events of the subset of events.
12. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name is displayed in a field picker.

12.  The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name is displayed in a field picker.
13. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in the query is displayed in a field picker.

13.  The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in the query is displayed in a field picker.
14. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries is displayed in a field picker, and wherein the method further comprises: causing display of information about one or more events in the subset of events; receiving from a user a selection of a field name through the field picker; hiding from the display at least one previously displayed event that does not contain the selected field.

wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in the query is displayed in a field picker, and wherein the method further comprises: causing display of information about one or more events in the subset of events;  receiving from a user a selection of a field name through the field picker;  hiding from the display at least one previously displayed event that does not contain the selected field.
wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries is displayed in a field picker for specifying field criteria to further filter the subset of the events.

15.  The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in the query is displayed in a field picker for specifying field criteria to further filter the subset of the events.
16. The method of claim 1, further comprising: causing display of a histogram that indicates how many events in the subset of events are associated with a timestamp falling within each of a plurality of time ranges.

16.  The method of claim 1, further comprising: causing display of a histogram that indicates how many events in the subset of events are associated with a timestamp falling within each of a plurality of time ranges.
17. The method of claim 1, wherein causing display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries causes display of the number and the field name in a vicinity of one or more other displayed numbers and their associated field names.

17.  The method of claim 1, wherein causing display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in the query causes display of the number and the field name in a vicinity of one or more other displayed numbers and their associated field names.



Claims 1-30 are rejected on the ground of non-statutory double patenting as being unpatentable over Claims 1-39 of U.S. Patent No. 9,129,028. Although the claims at issue are not identical, they are not patentably distinct from each other because they are claiming similar subject matter as showed in the Claims Comparison Table below.  It would have been obvious to a person of ordinary skill in the art at the time the In re Karlson (CCPA) 136 USPQ 184, decide Jan 16, 1963, Appl. No. 6857, U. S. Court of Customs and Patent Appeals.
Claims Comparison Table
Instant Application No. 16/396,569

U.S. Patent No. 9,129,028
1. (similar claims 18 and 24) A computer-implemented method, comprising: 
receiving, at a computing device, a query for searching a set of events stored in a data store, the set of events indicative of security or performance aspects of one or more information technology systems; 








executing the query against the set of events to generate a subset of events; 




identifying a field that exists in one or more events of the subset of events; 


determining a number corresponding to how many unique values exist for the field among the subset of events; 
causing display of (i) the number corresponding to how many unique values exist for the field and (ii) a field name by which the field can be referenced in queries.

A method, comprising: 
receiving a query including a criterion for searching a set of events stored across a plurality of distributed machines, wherein each distributed machine has responsibility to search a time-based subgroup of the set of events, wherein each distributed machine has responsibility to search a time-based subgroup different than time-based subgroups that other distributed machines have responsibility to search, and wherein each event in the set of events is associated with a timestamp;  
in response to receiving the query, directing at least a portion of the plurality of distributed machines to search, in respective time-based subgroups, for events responsive to the query;  
receiving from the distributed machines information relating to values for a field that are in the events responsive to the query;  
aggregating the received information to determine a number corresponding to how many unique values exist for the field in the events responsive to the query;  
displaying the number corresponding to how many unique values exist for the field;  wherein the method is performed by one or more computing devices.



3. (similar claims 20 and 26)  The method of claim 1, wherein each event in the set of events includes machine data reflecting activity in the one or more information technology systems.

2. (similar claims 15 and 28)  The method of claim 1, wherein the events include machine data.
4. (similar claim 26) The method of claim 1, wherein at least one event in the set of events includes log data reflecting activity in the one or more information technology systems.

3. (similar claims 16 and 29) The method of claim 1, wherein the events include log data.
5. (similar claim 26) The method of claim 1, wherein at least one event in the set of events includes unstructured data.

4. (similar claims 17 and 30) The method of claim 1, wherein the events include unstructured data.
6. (similar claims 21 and 27) The method of claim 1, wherein the query for searching the set of events includes a criterion for evaluating values for the field that exists in one or more events in the set of events.

5. (similar claims 18 and 31)  The method of claim 1, wherein the criterion is an evaluation of values for the field.
7. The method of claim 1, wherein the query for searching the set of events includes a criterion requiring that matching events have a particular keyword.

13. (similar claims 26 and 39) The method of claim 1, wherein the criterion for searching the set of events includes a specified keyword.
8. (similar claims 22 and 28) The method of claim 1, wherein each of the events in the set of events is associated with a timestamp, and wherein the query for searching the set of events is associated with a time range used to search the set of events.

wherein the criterion for searching the set of events includes a time range to be compared to the timestamps of the events.



10. (similar claims 23 and 29) The method of claim 1, further comprising: causing display of information about two or more events that have the field and that are in the subset events, wherein the two or more events that have the field are displayed in a sorted order corresponding to timestamps associated with the two or more events.

8. (similar claims 21 and 34) The method of claim 1, further comprising: receiving from the at least a portion of the plurality of distributed machines information about the events responsive to the query, wherein the information includes at least a portion of at least some of the events responsive to the query;  receiving timestamps associated with the events to which the information pertains;  displaying at least a portion of the information about the events responsive to the query in an order corresponding to the timestamps.

11. (similar claim 30) The method of claim 1, further comprising: causing display of at least a second number corresponding to how many unique values exist among the subset of events for a second field that exists in one or more events of the subset of events.


12. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name is displayed in a field picker.


13. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in the query is displayed in a field picker.





15. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries is displayed in a field picker for specifying field criteria to further filter the subset of the events.


16. The method of claim 1, further comprising: causing display of a histogram that indicates how many events in the subset of events are associated with a timestamp falling within each of a plurality of time ranges.

10. (similar claims 23 and 36) The method of claim 1, further comprising: displaying a histogram of the events responsive to the query, wherein the histogram indicates how many of the events responsive to the query have a timestamp falling within each of a plurality of time ranges.

17. The method of claim 1, wherein causing display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries causes display of the number and the field name in a vicinity of one or more other displayed numbers and their associated field names.





Claims 1-30 are rejected on the ground of non-statutory double patenting as being unpatentable over Claims 1-20 of U.S. Patent No. 8,990,245. Although the claims they are claiming similar subject matter as showed in the Claims Comparison Table below.  It would have been obvious to a person of ordinary skill in the art at the time the invention was made to modify, add or omit the additional elements of claims 1, 16 and 19 to arrive at the claims 1, 18 and 24 of the instant application because the person would have realized that the remaining element would perform the same functions as before. "Omission of element and its function in combination is obvious expedient if the remaining elements perform same functions as before." See In re Karlson (CCPA) 136 USPQ 184, decide Jan 16, 1963, Appl. No. 6857, U. S. Court of Customs and Patent Appeals.
Claims Comparison Table
Instant Application No. 16/396,569

U.S. Patent No. 8,990,245
1. (similar claims 18 and 24) A computer-implemented method, comprising: 
receiving, at a computing device, a query for searching a set of events stored in a data store, the set of events indicative of security or performance aspects of one or more information technology systems; 














executing the query against the set of events to generate a subset of events; 
identifying a field that exists in one or more events of the subset of events; determining a number corresponding to how many unique values exist for the field among the subset of events; causing display of (i) the number corresponding to how many unique values exist for the field and (ii) a field name by which the field can be referenced in queries.

15. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries is displayed in a field picker for specifying field criteria to further filter the subset of the events.

A computer-implemented method, comprising: receiving a query including a criterion for searching a set of events stored across a plurality of distributed machines, wherein each distributed machine has access to search a subgroup of the stored set of events, wherein each distributed machine has access to search a subgroup different than subgroups that other distributed machines have access to search, and wherein each event is associated with a timestamp;  
in response to receiving the query, directing the plurality of distributed machines to search, in respective subgroups to which they have access, for events responsive to the query;  
receiving from the distributed machines information about values for a field that are extracted from the events responsive to the query;  
synthesizing the information about the values for the field to determine a number corresponding to how many unique values exist for the field in the events responsive to the query;  displaying a field name representing the field and the number corresponding to how many unique values exist for the field in a field picker, wherein the field picker lists a plurality of field names corresponding to fields defined for the events responsive to the query;

displaying information about a subset of the events that are both responsive to the query and that meet a criterion for a field corresponding to a field name selected from the list of the plurality of field names.




3. (similar claims 20 and 26)  The method of claim 1, wherein each event in the set of events includes machine data reflecting activity in the one or more information technology systems.

2.  The method of claim 1, wherein the events include machine data.
4. (similar claim 26) The method of claim 1, wherein at least one event in the set of events includes log data reflecting activity in the one or more information technology systems.

3.  The method of claim 1, wherein the events include log data.
wherein at least one event in the set of events includes unstructured data.

4.  The method of claim 1, wherein the events include unstructured data.
6. (similar claims 21 and 27) The method of claim 1, wherein the query for searching the set of events includes a criterion for evaluating values for the field that exists in one or more events in the set of events.


7. The method of claim 1, wherein the query for searching the set of events includes a criterion requiring that matching events have a particular keyword.

15.  The method of claim 1, wherein the criterion for searching the set of events includes a specified keyword.
8. (similar claims 22 and 28) The method of claim 1, wherein each of the events in the set of events is associated with a timestamp, and wherein the query for searching the set of events is associated with a time range used to search the set of events.


9. The method of claim 1, further comprising: causing display of information about one or more events that have the field and that are in the subset of events.


10. (similar claims 23 and 29) The method of claim 1, further comprising: causing display of information about two or more events that have the field and that are in the subset events, wherein the two or more events that have the field are displayed in a sorted order corresponding to timestamps associated with the two or more events.


10.  The method of claim 1, further comprising: receiving from the distributed machines information about the events responsive to the query, wherein the information includes at least a portion of at least some of the events responsive to the query; receiving the timestamps associated with the events to which the information pertains; and displaying the information about the events responsive to the query in an order corresponding to the timestamps.

11. (similar claim 30) The method of claim 1, further comprising: causing display of at least a second number corresponding to 


12. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name is displayed in a field picker.


13. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in the query is displayed in a field picker.


14. The method of claim 1, wherein the display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries is displayed in a field picker, and wherein the method further comprises: causing display of information about one or more events in the subset of events; receiving from a user a selection of a field name through the field picker; hiding from the display at least one previously displayed event that does not contain the selected field.


16. The method of claim 1, further comprising: causing display of a histogram that indicates how many events in the subset of events are associated with a timestamp falling within each of a plurality of time ranges.

12.  The method of claim 1, further comprising: displaying a histogram of the events responsive to the query, wherein the histogram indicates how many of the events responsive to the query have a timestamp falling within each of a plurality of time ranges.

17. The method of claim 1, wherein causing display of the number corresponding to how many unique values exist for the field along with the field name by which the field can be referenced in queries causes display of the number and the field name in 





Citation of Pertinent Prior Arts
The prior art made of record and not relied upon in form PTO-892, if any, is considered pertinent to applicant's disclosure. For example,
Takahashi et al (Pub. No. US2005/0172162) teaches operation management, events processing with graphical user interface applications. 
Smith et al (Pub. No. US2011/0099500) teaches historical network event viewing.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THANH-HA DANG whose telephone number is (571)272-4033.  The examiner can normally be reached on M-F 10:00AM-6PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hassan (Tony) Mahmoudi can be reached on 571-272-4078.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Thanh-Ha Dang
/THANH-HA DANG/
Primary Examiner, Art Unit 2163