DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-17, 23, and 29-30 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-22 of U.S. Patent No. 10523521. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-22 of U.S. Patent No. 10523521 alone or in combination teach each and every limitation of claims 1-17, 23, and 29-30 of the instant application. 
For example: 
Regarding claim 1, Claim 1 of U.S. Patent No. 10523521 teaches a computer-implemented method performed by a configuration server coupled to a network, the method comprising: 
receiving input defining an ephemeral event stream to be generated by a remote capture agent, the input indicating: (Claim 1: receiving, via the GUI, input defining an ephemeral event stream comprising timestamped event data to be generated by the remote capture agent, the input including.)
an identifier of a network protocol used by network packets from which the ephemeral event stream is to be generated, and (Claim 1: an identifier of a protocol used by )
an amount of time the remote capture agent is to generate timestamped event data to be included in the ephemeral event stream; (Claim 1: an indication of an amount of time the remote capture agent is to generate the ephemeral event stream.)
generating, based on the input, configuration information that includes settings to be used by the remote capture agent to generate the ephemeral event stream; and (Claim 1: generating configuration information including settings used by the remote capture agent to generate the ephemeral event stream.)
sending, via the network, the configuration information to the remote capture agent. (Claim 1: transmitting, via a network, the configuration information to the remote capture agent.)

Regarding claim 2, Claim 1 of U.S. Patent No. 10523521 teaches the method of claim 1.
Claim 1 of U.S. Patent No. 10523521 teaches wherein the remote capture agent generates the ephemeral event stream based on the configuration information. (Claim 1: wherein the configuration information is used to configure the generation of the at least one event stream.)

Claim 2 of U.S. Patent No. 10523521 teaches claim 3 of the instant application. Claim 3 of U.S. Patent No. 10523521 teaches claim 4 of the instant application. Claim 4 of U.S. Patent No. 10523521 teaches claim 5 of the instant application. Claim 5 of U.S. Patent No. 10523521 teaches claim 6 of the instant application. Claim 6 of U.S. Patent No. 10523521 teaches claim 7 of the instant application. Claim 7 of U.S. Patent No. 10523521 teaches claim 8 of the instant application. Claim 8 of U.S. Patent No. 10523521 teaches claim 9 of the instant application. Claim 8 of U.S. Patent No. 10523521 teaches claim 10 of the instant application. Claim 9 of U.S. 

Regarding claim 14, Claim 1 of U.S. Patent No. 10523521 teaches the method of claim 1.
Claim 1 of U.S. Patent No. 10523521 teaches further comprising: receiving a search query including one or more search criteria; (Claim 1: the input including: a search query to be executed against timestamped event data included in the at least one event stream generated by the remote capture agent.)
executing the search query to identify one or more ephemeral event streams satisfying the one or more search criteria. (Claim 1: wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment.)

Claim 13 of U.S. Patent No. 10523521 teaches claim 15 of the instant application. Claim 14 of U.S. Patent No. 10523521 teaches claim 16 of the instant application. Claim 15 of U.S. Patent No. 10523521 teaches claim 17 of the instant application. Claim 1 of U.S. Patent No. 10523521 teaches claim 23 of the instant application. Claim 16 of U.S. Patent No. 10523521 teaches claim 29 of the instant application. Claim 22 of U.S. Patent No. 10523521 teaches claim 30 of the instant application.

Claims 18-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over Claim 1 of U.S. Patent No. 10523521 in view of Dugatkin (US 20050021715 A1).
Regarding claim 18, Claim 1 of U.S. Patent No. 10523521 teaches the method of claim 1.

However, Dugatkin teaches wherein the method further comprises receiving second input used to filter display of a plurality of ephemeral event streams including the ephemeral event stream. ([0034]: The manager may provide a user interface to allow a user to view network traffic data; to select, edit and/or create filters.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Claim 1 of U.S. Patent No. 10523521 to include above limitation. One would have been motivated to do so because it is desirable for an improved representation and evaluation of the genuine behavior of network traffic by using successive capturing and analysis of network traffic. The successive capturing and analysis of network traffic may be used for evaluating, measuring and validating networks, network applications, and network devices; and may be used to generate and/or emulate network traffic. As taught by Dugatkin, [0017].

Regarding claim 19, Claim 1 of U.S. Patent No. 10523521 teaches the method of claim 1.
Claim 1 of U.S. Patent No. 10523521 does not explicitly disclose causing display of a graphical user interface (GUI) including event stream information related to at least one permanent event stream and the ephemeral event stream.
However, Dugatkin teaches causing display of a graphical user interface (GUI) including event stream information related to at least one permanent event stream and the ephemeral event stream. ([0081]: A network traffic analysis specification provided by a user may be received. The data unit source programs (e.g. specific to an application), and others. [0088]: The network traffic characterization may be communicated to or made available to a traffic generator and/or displayed to a user, as shown in block 660.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Claim 1 of U.S. Patent No. 10523521 to include above limitation. One would have been motivated to do so because it is desirable for an improved representation and evaluation of the genuine behavior of network traffic by using successive capturing and analysis of network traffic. The successive capturing and analysis of network traffic may be used for evaluating, measuring and validating networks, network applications, and network devices; and may be used to generate and/or emulate network traffic. As taught by Dugatkin, [0017].

Regarding claim 20, Claim 1 of U.S. Patent No. 10523521 teaches the method of claim 1.
Claim 1 of U.S. Patent No. 10523521 does not explicitly disclose further comprising causing display of a graphical user interface (GUI) including event stream information for the ephemeral event stream, the event stream information including a description of a capture trigger that caused generation of the ephemeral event stream.
However, Dugatkin teaches causing display of a graphical user interface (GUI) including event stream information for the ephemeral event stream, the event stream information including be set to be a particular kind of data unit, may be a particular network address specified as a source and/or destination address in a data unit, may be a data rate of the network traffic, and others.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Claim 1 of U.S. Patent No. 10523521 to include above limitation. One would have been motivated to do so because it is desirable for an improved representation and evaluation of the genuine behavior of network traffic by using successive capturing and analysis of network traffic. The successive capturing and analysis of network traffic may be used for evaluating, measuring and validating networks, network applications, and network devices; and may be used to generate and/or emulate network traffic. As taught by Dugatkin, [0017].

Claims 21-22 and 25-26 are rejected on the ground of nonstatutory double patenting as being unpatentable over Claim 1 of U.S. Patent No. 10523521 in view of Tamayo (US 20140279824 A1).
 	Regarding claim 21, Claim 1 of U.S. Patent No. 10523521 teaches the method of claim 1.
Claim 1 of U.S. Patent No. 10523521 does not explicitly disclose causing display of a graphical user interface (GUI) including a visualization of a metric related to the ephemeral event stream.
However, Tamayo teaches causing display of a graphical user interface (GUI) including a visualization of a metric related to the ephemeral event stream. (Fig 1 and Fig 7)


Regarding claim 22, Claim 1 of U.S. Patent No. 10523521 teaches the method of claim 1.
Claim 1 of U.S. Patent No. 10523521 does not explicitly disclose further comprising causing display of a graphical user interface (GUI) including event stream information for a plurality of ephemeral event streams, the event stream information including a plurality of inline visualizations of a metric associated with each of the plurality of ephemeral event streams.
However, Tamayo teaches further comprising causing display of a graphical user interface (GUI) including event stream information for a plurality of ephemeral event streams, the event stream information including a plurality of inline visualizations of a metric associated with each of the plurality of ephemeral event streams. (Fig 1 and Fig 7)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Claim 1 of U.S. Patent No. 10523521 to include above limitation. One would have been motivated to do so because in order to be able to efficiently present snapshots of the multidimensional data to the user so that the user can visualize the data. As taught by Tomayo, [0002]-[0004].

Regarding claim 25, Claim 1 of U.S. Patent No. 10523521 teaches the method of claim 1.

However, Tamayo teaches causing display of a graphical user interface (GUI) including event stream information for a plurality of ephemeral event streams including the ephemeral event stream, the event stream information including an aggregated metric for the plurality of ephemeral event streams. ([0080]: The expression of indicator causes the time-sensitive cube data system to sum or aggregate the total loan value of loans within the respective dimensions.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Claim 1 of U.S. Patent No. 10523521 to include above limitation. One would have been motivated to do so because in order to be able to efficiently present snapshots of the multidimensional data to the user so that the user can visualize the data. As taught by Tomayo, [0002]-[0004].

Regarding claim 26, Claim 1 of U.S. Patent No. 10523521 teaches the method of claim 1.
Claim 1 of U.S. Patent No. 10523521 does not explicitly disclose causing display of a graphical user interface (GUI) including a graph of a metric associated with the ephemeral event stream, wherein the graph of 78 Attorney Docket No. 1015SP0055.12US.C5the metric is updated as additional timestamped event data associated with the ephemeral event stream is received.
However, Tamayo teaches causing display of a graphical user interface (GUI) including a graph of a metric associated with the ephemeral event stream, wherein the graph of 78 Attorney Docket No. 1015SP0055.12US.C5the metric is updated as additional timestamped event data associated with the ephemeral event stream is 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Claim 1 of U.S. Patent No. 10523521 to include above limitation. One would have been motivated to do so because in order to be able to efficiently present snapshots of the multidimensional data to the user so that the user can visualize the data. As taught by Tomayo, [0002]-[0004].

Claim 24 is rejected on the ground of nonstatutory double patenting as being unpatentable over Claim 1 of U.S. Patent No. 10523521 in view of Njemanze (US 8365278 B1).
 	Regarding claim 24, Claim 1 of U.S. Patent No. 10523521 teaches the method of claim 1.
Claim 1 of U.S. Patent No. 10523521 does not explicitly disclose causing display of a graphical user interface (GUI) including event stream information for the ephemeral event stream, the event stream information including an indication of a number of notable events associated with the ephemeral event stream.
However, Njemanze teaches causing display of a graphical user interface (GUI) including event stream information for the ephemeral event stream, the event stream information including an indication of a number of notable events associated with the ephemeral event stream. (Column 9 lines 16-19: the agent can collect duplicate alerts but send only a single message with a count of the total number of such alerts to the manager)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Claim 1 of U.S. Patent No. 10523521 to include above limitation. One would have been motivated to do so because Regardless of whether a host-based .

Claim 27 is rejected on the ground of nonstatutory double patenting as being unpatentable over Claim 1 of U.S. Patent No. 10523521 in view of Markos (US 20050267967 A1).
Regarding claim 27, Claim 1 of U.S. Patent No. 10523521 teaches the method of claim 1.
Claim 1 of U.S. Patent No. 10523521 does not explicitly disclose wherein generating the configuration information includes creating a file including the settings to be used by the remote capture agent to generate the ephemeral event stream.
However, Markos teaches wherein generating the configuration information includes creating a file including the settings to be used by the remote capture agent to generate the ephemeral event stream. (Abstract: The plurality of events can be traced and/or monitored for one host or for a plurality of hosts coupled via the same network interface. The sets of events to be traced/monitored for a host are defined by the host and maintained in one or more configuration files.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Claim 1 of U.S. Patent No. 10523521 to include above limitation. One would have been motivated to do so because a need exists for a capability that .

Claim 28 is rejected on the ground of nonstatutory double patenting as being unpatentable over Claim 1 of U.S. Patent No. 10523521 in view of Zhang (US 20120197934 A1).
Regarding claim 28, Claim 1 of U.S. Patent No. 10523521 teaches the method of claim 1.
Claim 1 of U.S. Patent No. 10523521 does not explicitly disclose wherein the identifier of the network protocol is used by the remote capture agent to assemble network packets into a packet flow based on the network protocol.
However, Zhang teaches wherein the identifier of the network protocol is used by the remote capture agent to assemble network packets into a packet flow based on the network protocol. ([0045]: FIG. 2 illustrates a block diagram of at least one embodiment of indexing engine 125. Indexing engine 125 receives MD from ingestion engine 120 and breaks the data into events. Indexing engine 125 can associate a time stamp with each event and also segment the events.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Claim 1 of U.S. Patent No. 10523521 to include above limitation. One would have been motivated to do so because conventional search systems are inefficient at handling real-time searches. It is desirable for an improved method for enabling .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-5, 18-20, 23, and 29-30 are rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Farmer (US 20160112287 A1).
Regarding claim 1, Dugatkin teaches a computer-implemented method performed by a configuration server coupled to a network, the method comprising: 
receiving input defining an ephemeral event stream to be generated by a remote capture agent, the input indicating: ([0034]: The network testing system 200 may include collectors 210 to capture, to collect, to filter and to perform other operations on network traffic collected from network 260. The collectors 210 may produce network traffic data. The collectors may be coupled to and pass collected and filtered network traffic data and/or the network traffic to the characterization units 220. [0036]: The triggers may specify events (e.g. event streams) that cause the collectors 210 to begin or cease capturing network traffic. [0046]: The manager 250 may an interface (e.g. a graphical user interface) to allow a user to create and/or modify filters (e.g. the configuration information) to be used by the collectors (e.g. remote capture agent).)
an identifier of a network protocol used by network packets from which the ephemeral event stream is to be generated, and ([0045]: The filters may be used for various purposes, such as, for example, to restrict the collected network traffic based on the source or destination addresses, the protocols, or any other data fields specified in the data units.)
an amount of time the remote capture agent is to generate event data to be included in the ephemeral event stream; ([0036]: The constraints may include a “start trigger” and a “stop trigger”. The triggers may specify events that cause the collectors 210 to begin or cease capturing network traffic. The triggers may also be set based on time constraints such that network data is captured over a system or user defined period of time (e.g., 3 minutes, 30 minutes, 3 hours).)
generating, based on the input, configuration information that includes settings to be used by the remote capture agent to generate the ephemeral event stream; and ([0045]: The filters 212 may be system defined and/or user-defined. The filters 212 may be used for various purposes, such as, for example, to restrict the collected network traffic based on the source or destination addresses, the protocols, or any other data fields specified in the data units. Filters 212 may be used to limit data collection to specific network traffic patterns. [0046]: The manager 250 may provide an interface to allow a user to create and/or modify filters (e.g. generate configuration information) 212 to be used by the collectors (e.g. used by the remote capture agent) 210. [0036]: user defined constraints. The constraints may include a “start trigger” events that cause the collectors to begin or cease capturing network traffic (e.g. in response to detection of a respective trigger condition).)
sending, via the network, the configuration information to the remote capture agent. ([0085]: A user interface may be provided that allows a user to define network traffic filters and specify the network traffic analysis to be performed, as shown in block 670. The user defined network traffic filters may be received, as shown in block 674. The user defined network traffic filters may then be used when collecting data units (e.g. transmitted to remote capture agent) from the network at block 610, to filter the collected data units at block 614 and to obtain pertinent information from the collected data units at block 616.)
Dugatkin does not explicitly disclose to generate timestamped event data.
However, Farmer teaches to generate timestamped event data. ([0083]: each data item in network traffic data 114 has a time stamp, which identifies a specific time and/or date associated with the data item, most commonly associated with the time and/or date at which the data item was recorded or detected.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Claim 1 of U.S. Patent No. 10523521 to include above limitation. One would have been motivated to do so because many current techniques used for attack discovery frequently do not reveal that an attack has taken place until an extended time has elapsed. It can often be unfeasible to store all network traffic data for a long enough period that allows for such late detection of an incident. It is desirable an improved mechanism is provided for storage, recovery, and analysis of network traffic data. As taught by Farmer, [0007]-[0008].


Dugatkin teaches wherein the remote capture agent generates the ephemeral event stream based on the configuration information. ([0085]: The user defined network traffic filters may be received, as shown in block 674. The user defined network traffic filters may then be used when collecting data units (e.g. transmitted to remote capture agent) from the network at block 610, to filter the collected data units at block 614 and to obtain pertinent information from the collected data units at block 616.)

Regarding claim 3, Dugatkin and Farmer teach the method of claim 1.
Dugatkin teaches wherein the method further comprises: receiving second input defining a second ephemeral event stream to be generated by the remote capture agent; updating, based on the second input, the configuration information to include second settings to be used by the remote capture agent to generate the second ephemeral event stream; and sending, via the network, the configuration information including the second settings to the remote capture agent. ([0036]: The collectors 210 may review, capture and otherwise obtain network traffic and network traffic data in capture groups. A “capture group” is a group of data units or network traffic data concerning the data units which may be collected according to system defined and/or user defined constraints. [0048]: In a successive refinement, a second capture group (e.g. a second ephemeral event stream) 330 may include all of the TCP data units 326, including FTP data units 332, HTTP data units 334, SMTP data units 336 and other data units 338.)

Regarding claim 4, Dugatkin and Farmer teach the method of claim 1.


Regarding claim 5, Dugatkin and Farmer teach the method of claim 1.
Dugatkin teaches causing display of a graphical user interface (GUI) including event stream information for the ephemeral event stream, wherein the event stream information for the ephemeral event stream includes at least one of: a name of the ephemeral event stream, a number of instances of the ephemeral event stream, an application associated with the ephemeral event stream, a start time of the ephemeral event stream, an end time of the ephemeral event stream, a time remaining for generation of event data associated with the ephemeral event stream, or a status of the ephemeral event stream. ([0081]: A network traffic analysis specification provided by a user may be received. The network traffic analysis specification may specify various characteristics of the network traffic the user wishes to have analyzed. The network traffic analysis specification may include commands or instructions that cause the network traffic characterization to include information concerning source and destination addresses, data unit types and subtypes, data unit protocols, port identifiers, data unit source programs (e.g. specific to an application), and others. [0088]: The network traffic characterization may be displayed to a user, as shown in block 660.)

Regarding claim 18, Dugatkin and Farmer teach the method of claim 1.
Dugatkin teaches wherein the method further comprises receiving second input used to filter display of a plurality of ephemeral event streams including the ephemeral event stream. ([0034]: The manager may provide a user interface to allow a user to view network traffic data; to select, edit and/or create filters.)

Regarding claim 19, Dugatkin and Farmer teach the method of claim 1.
Dugatkin teaches causing display of a graphical user interface (GUI) including event stream information related to at least one permanent event stream and the ephemeral event stream. ([0081]: A network traffic analysis specification provided by a user may be received. The network traffic analysis specification may specify various characteristics of the network traffic the user wishes to have analyzed. The network traffic analysis specification may include commands or instructions that cause the network traffic characterization to include information concerning source and destination addresses, data unit types and subtypes, data unit protocols, port identifiers, data unit source programs (e.g. specific to an application), and others. [0088]: The network traffic characterization may be communicated to or made available to a traffic generator and/or displayed to a user, as shown in block 660.)

Regarding claim 20, Dugatkin and Farmer teach the method of claim 1.
be set to be a particular kind of data unit, may be a particular network address specified as a source and/or destination address in a data unit, may be a data rate of the network traffic, and others.)

Regarding claim 23, Dugatkin and Farmer teach the method of claim 1.
Dugatkin teaches wherein the input defining the ephemeral event stream is received via a graphical user interface (GUI). ([0046]: The manager 250 may provide an interface (e.g. a graphical user interface) to allow a user to create and/or modify filters (e.g. the configuration information) to be used by the collectors (e.g. remote capture agent).)

Regarding claim 29, Dugatkin teaches an apparatus, comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the apparatus to: 
receiving input defining an ephemeral event stream to be generated by a remote capture agent, the input indicating: ([0034]: The network testing system 200 may include collectors 210 to capture, to collect, to filter and to perform other operations on network traffic collected from network 260. The collectors 210 may produce network traffic data. The collectors may be coupled to and pass collected and filtered network traffic data and/or the network traffic to the characterization units 220. [0036]: The triggers may specify events (e.g. event streams) that cause to begin or cease capturing network traffic. [0046]: The manager 250 may provide an interface (e.g. a graphical user interface) to allow a user to create and/or modify filters (e.g. the configuration information) to be used by the collectors (e.g. remote capture agent).)
an identifier of a network protocol used by network packets from which the ephemeral event stream is to be generated, and ([0045]: The filters may be used for various purposes, such as, for example, to restrict the collected network traffic based on the source or destination addresses, the protocols, or any other data fields specified in the data units.)
an amount of time the remote capture agent is to generate event data to be included in the ephemeral event stream; ([0036]: The constraints may include a “start trigger” and a “stop trigger”. The triggers may specify events that cause the collectors 210 to begin or cease capturing network traffic. The triggers may also be set based on time constraints such that network data is captured over a system or user defined period of time (e.g., 3 minutes, 30 minutes, 3 hours).)
generating, based on the input, configuration information that includes settings to be used by the remote capture agent to generate the ephemeral event stream; and ([0045]: The filters 212 may be system defined and/or user-defined. The filters 212 may be used for various purposes, such as, for example, to restrict the collected network traffic based on the source or destination addresses, the protocols, or any other data fields specified in the data units. Filters 212 may be used to limit data collection to specific network traffic patterns. [0046]: The manager 250 may provide an interface to allow a user to create and/or modify filters (e.g. generate configuration information) 212 to be used by the collectors (e.g. used by the remote events that cause the collectors to begin or cease capturing network traffic (e.g. in response to detection of a respective trigger condition).)
sending, via the network, the configuration information to the remote capture agent. ([0085]: A user interface may be provided that allows a user to define network traffic filters and specify the network traffic analysis to be performed, as shown in block 670. The user defined network traffic filters may be received, as shown in block 674. The user defined network traffic filters may then be used when collecting data units (e.g. transmitted to remote capture agent) from the network at block 610, to filter the collected data units at block 614 and to obtain pertinent information from the collected data units at block 616.)
Dugatkin does not explicitly disclose to generate timestamped event data.
However, Farmer teaches to generate timestamped event data. ([0083]: each data item in network traffic data 114 has a time stamp, which identifies a specific time and/or date associated with the data item, most commonly associated with the time and/or date at which the data item was recorded or detected.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Claim 1 of U.S. Patent No. 10523521 to include above limitation. One would have been motivated to do so because many current techniques used for attack discovery frequently do not reveal that an attack has taken place until an extended time has elapsed. It can often be unfeasible to store all network traffic data for a long enough period that allows for such late detection of an incident. It is desirable an improved mechanism is provided for storage, recovery, and analysis of network traffic data. As taught by Farmer, [0007]-[0008].

Regarding claim 30, Dugatkin teaches a non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform operations for facilitating processing of network data, the operations comprising: 
receiving input defining an ephemeral event stream to be generated by a remote capture agent, the input indicating: ([0034]: The network testing system 200 may include collectors 210 to capture, to collect, to filter and to perform other operations on network traffic collected from network 260. The collectors 210 may produce network traffic data. The collectors may be coupled to and pass collected and filtered network traffic data and/or the network traffic to the characterization units 220. [0036]: The triggers may specify events (e.g. event streams) that cause the collectors 210 to begin or cease capturing network traffic. [0046]: The manager 250 may provide an interface (e.g. a graphical user interface) to allow a user to create and/or modify filters (e.g. the configuration information) to be used by the collectors (e.g. remote capture agent).)
an identifier of a network protocol used by network packets from which the ephemeral event stream is to be generated, and ([0045]: The filters may be used for various purposes, such as, for example, to restrict the collected network traffic based on the source or destination addresses, the protocols, or any other data fields specified in the data units.)
an amount of time the remote capture agent is to generate event data to be included in the ephemeral event stream; ([0036]: The constraints may include a “start trigger” and a “stop trigger”. The triggers may specify events that cause the collectors 210 to begin or cease capturing network traffic. The triggers may also be set 
generating, based on the input, configuration information that includes settings to be used by the remote capture agent to generate the ephemeral event stream; and ([0045]: The filters 212 may be system defined and/or user-defined. The filters 212 may be used for various purposes, such as, for example, to restrict the collected network traffic based on the source or destination addresses, the protocols, or any other data fields specified in the data units. Filters 212 may be used to limit data collection to specific network traffic patterns. [0046]: The manager 250 may provide an interface to allow a user to create and/or modify filters (e.g. generate configuration information) 212 to be used by the collectors (e.g. used by the remote capture agent) 210. [0036]: user defined constraints. The constraints may include a “start trigger” and a “stop trigger”. The triggers may specify events that cause the collectors to begin or cease capturing network traffic (e.g. in response to detection of a respective trigger condition).)
sending, via the network, the configuration information to the remote capture agent. ([0085]: A user interface may be provided that allows a user to define network traffic filters and specify the network traffic analysis to be performed, as shown in block 670. The user defined network traffic filters may be received, as shown in block 674. The user defined network traffic filters may then be used when collecting data units (e.g. transmitted to remote capture agent) from the network at block 610, to filter the collected data units at block 614 and to obtain pertinent information from the collected data units at block 616.)
Dugatkin does not explicitly disclose to generate timestamped event data.
However, Farmer teaches to generate timestamped event data. ([0083]: each data item in network traffic data 114 has a time stamp, which identifies a specific time and/or date associated 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Claim 1 of U.S. Patent No. 10523521 to include above limitation. One would have been motivated to do so because many current techniques used for attack discovery frequently do not reveal that an attack has taken place until an extended time has elapsed. It can often be unfeasible to store all network traffic data for a long enough period that allows for such late detection of an incident. It is desirable an improved mechanism is provided for storage, recovery, and analysis of network traffic data. As taught by Farmer, [0007]-[0008].

Claims 6-8 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Farmer (US 20160112287 A1), and further in view of Cartsonis (US 6584501 B1).
Regarding claim 6, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose causing display of a graphical user interface (GUI) including an interface element that, upon selection, causes an action to be applied to a set of user-selected ephemeral event streams. 
However, Cartsonis teaches causing display of a graphical user interface (GUI) including an interface element that, upon selection, causes an action to be applied to a set of user-selected ephemeral event streams. (Fig. 5. Col 2 line 54-57: The user interface of the present invention makes clear the interdependence among different parts of a networked application, and facilitates thread grouping in an interactive, dynamic manner. The user is also able to quickly narrow down thread grouping (e.g. an action associated with managing the one or more ephemeral event streams to a set of 3 selected ephemeral event streams) as specified by the user.) 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin and Farmer. One would have been motivated to do so because it is desirable to perform thread grouping based on protocol-specific, application level, or user specification for easy navigation or analysis. As taught by Cartsonis, Col 2 line 42-Col 3 line 4.

Regarding claim 7, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose wherein the method further comprises: receiving second input selecting a set of ephemeral event streams including the ephemeral event stream; and causing display of a graphical user interface (GUI) including event stream information for the set of ephemeral event streams. 
However, Cartsonis teaches wherein the method further comprises: receiving second input selecting a set of ephemeral event streams including the ephemeral event stream; and causing display of a graphical user interface (GUI) including event stream information for the set of ephemeral event streams. (Fig. 5. Col 2 line 54-57: The user interface of the present invention makes clear the interdependence among different parts of a networked application, and facilitates thread grouping in an interactive, dynamic manner. The user is also able to quickly narrow down an area of interest by zooming. Col 3 line 3-4: The method may also implement thread grouping (e.g. an action associated with managing the one or more ephemeral event streams to a set of 3 selected ephemeral event streams) as specified by the user.) 


Regarding claim 8, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose wherein the method further comprises: receiving second input selecting a set of ephemeral event streams including the ephemeral event stream, wherein the input selecting the set of ephemeral event streams is based on an event stream attribute, and wherein the event stream attribute is at least one of: a category associated with the set of ephemeral event streams, a protocol used by network packets associated with the set of ephemeral event streams, an application used to create the set of ephemeral event streams, or an event stream lifecycle associated with the set of ephemeral event streams; and causing display of a graphical user interface (GUI) including event stream information for the set of ephemeral event streams. 
However, Cartsonis teaches wherein the method further comprises: receiving second input selecting a set of ephemeral event streams including the ephemeral event stream, wherein the input selecting the set of ephemeral event streams is based on an event stream attribute, and wherein the event stream attribute is at least one of: a category associated with the set of ephemeral event streams, a protocol used by network packets associated with the set of ephemeral event streams, an application used to create the set of ephemeral event streams, or an event stream lifecycle associated with the set of ephemeral event streams; and causing display of a protocol-specific determination of the packets that should be grouped together. Col 2 line 58-60: The present invention thus facilitates analysis of packet-level operational characteristics in a packet trace that groups packets in coherent, application-level structure.) 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin and Farmer. One would have been motivated to do so because it is desirable to perform thread grouping based on protocol-specific, application level, or user specification for easy navigation or analysis. As taught by Cartsonis, Col 2 line 42-Col 3 line 4.

Regarding claim 16, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose causing display of a graphical user interface (GUI) including: event stream information for the ephemeral event stream, and an interface element used to navigate between the event stream information and creation information for a creator of the ephemeral event stream. 
However, Cartsonis teaches causing display of a graphical user interface (GUI) including: event stream information for the ephemeral event stream, and an interface element used to navigate between the event stream information and creation information for a creator of the ephemeral event stream. (Fig. 2-5: GUI that allow user to navigating between different threads (e.g. event stream), groups, and display the threads/groups by server or client (e.g. creators).)  


Regarding claim 17, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose causing display of a graphical user interface (GUI) including: event stream information for the ephemeral event stream, and an interface element for navigating between the event stream information and creation information for a creator of the ephemeral event stream, wherein the creator of the ephemeral event stream is at least one of: an application for monitoring network traffic captured by the remote capture agent, or a capture trigger for generating additional timestamped event data from the network packets based on a security risk. 
However, Cartsonis teaches causing display of a graphical user interface (GUI) including: event stream information for the ephemeral event stream, and an interface element for navigating between the event stream information and creation information for a creator of the ephemeral event stream, wherein the creator of the ephemeral event stream is at least one of: an application for monitoring network traffic captured by the remote capture agent, or a capture trigger for generating additional timestamped event data from the network packets based on a security risk. (Col 4 line 6-8: A thread is defined as some collection of individual packets that relate to a For each application, threads are defined as some significant application-level type of event that occurs in the course of the application.)  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin and Farmer. One would have been motivated to do so because in many situations, analysis of application-level behavior is desired. In addition, existing technique fails to provide any easy-to-use graphical user interface for viewing application-level protocol analysis data. What is needed is a method and user interface for displaying network performance and protocol analysis results in a coherent and visually understandable manner. What is further needed is a method and user interface for accurately providing application-level protocol analysis without requiring time-consuming analysis of packet-level trace information. As taught by Carsonis, Col 1 line 23-49.

Claims 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Farmer (US 20160112287 A1), and further in view of Moran (US 7299277 B1).
Regarding claim 9, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose wherein the method further comprises: receiving input requesting to delete the ephemeral event stream; and sending, via the network, instructions to the remote capture agent to delete the ephemeral event stream. 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin and Farmer. One would have been motivated to do so because it is common practice to allow user to delete old or obsolete event data for free up available space and easy navigation.

Regarding claim 10, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose wherein the method further comprises: receiving input requesting to disable the ephemeral event stream; and sending, via the network, instructions to the remote capture agent to disable the ephemeral event stream. 
However, Moran teaches wherein the method further comprises: receiving input requesting to disable the ephemeral event stream; and sending, via the network, instructions to the remote capture agent to disable the ephemeral event stream. (Fig. 30. Col 31 Table 38: Storing capture data for post-capture analysis by a sniffer, etc. Col 16 line 54-55: The event server provides operations for creating, deleting, enabling and disabling event groups. Col 17 line 48-49: The alarms server provides operations for creating, deleting, enabling and disabling 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin and Farmer. One would have been motivated to do so because it is common practice to allow user to disable outdated event capture rules for saving the processing power and bandwidth.

Claims 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Farmer (US 20160112287 A1), and further in view of Durham (US 7954109 B1).
Regarding claim 11, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose causing display of a graphical user interface (GUI) including event stream information, the event stream information including information related to a plurality of ephemeral event streams including the ephemeral event stream; and sorting the event stream information by an event stream attribute associated with each of the plurality of ephemeral event streams. 
However, Durham teaches causing display of a graphical user interface (GUI) including event stream information, the event stream information including information related to a plurality of ephemeral event streams including the ephemeral event stream; and sorting the event stream information by an event stream attribute associated with each of the plurality of ephemeral event streams. (Col 4 line 8-11: Each of the captured data events is timestamped in correspondence with a predetermined clock. The captured and timestamped data events are then sorted according to their respective clock timestamps.)


Regarding claim 12, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose causing display of a graphical user interface (GUI) including event stream information, the event stream information including information related to a plurality of ephemeral event streams including the ephemeral event stream; and sorting the event stream information by an event stream attribute associated with each ofthe plurality of ephemeral event streams, wherein the event stream attribute is at least one of a name associated with each ephemeral event stream of the plurality of ephemeral event streams, a number of ephemeral event streams in the plurality of ephemeral event streams, an application used to create each of the ephemeral event streams of the plurality of ephemeral event streams, a start time associated with each ephemeral event stream of the plurality of ephemeral event streams, an end time associated with each ephemeral event stream of the 
However, Durham teaches causing display of a graphical user interface (GUI) including event stream information, the event stream information including information related to a plurality of ephemeral event streams including the ephemeral event stream; and sorting the event stream information by an event stream attribute associated with each ofthe plurality of ephemeral event streams, wherein the event stream attribute is at least one of a name associated with each ephemeral event stream of the plurality of ephemeral event streams, a number of ephemeral event streams in the plurality of ephemeral event streams, an application used to create each of the ephemeral event streams of the plurality of ephemeral event streams, a start time associated with each ephemeral event stream of the plurality of ephemeral event streams, an end time associated with each ephemeral event stream of the plurality of ephemeral event 76 Attorney Docket No. 1015SP0055.12US.C5streams, an amount of remaining time associated with each ephemeral event stream of the plurality of ephemeral event streams, and a status of each ephemeral event stream of the plurality of ephemeral event streams. (Col 4 line 8-11: Each of the captured data events is timestamped in correspondence with a predetermined clock. The captured and timestamped data events are then sorted according to their respective clock timestamps (e.g. a start time).)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin and Farmer. One would have been motivated to do so because in a system that employs multiple transmission protocols, the protocol-based timestamping of multiple captured data events can make it difficult to make accurate and reliable determinations as to absolute and relative data event lengths, and data event .

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Farmer (US 20160112287 A1), and further in view of Oda (US 20160330086 A1).
Regarding claim 13, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose wherein the method further comprises receiving second input modifying an end time for terminating the generation of the timestamped event data to be included in the ephemeral event stream, wherein modifying the end time includes one of: extending the end time, or reducing the end time. 
However, Oda teaches wherein the method further comprises receiving second input modifying an end time for terminating the generation of the timestamped event data to be included in the ephemeral event stream, ([0043]: It is noted that times t1, t2, and t3 may be input by a user from a time-range input screen, which is one of the screens displayed in a data collection server 200, or may be input from an external application.)
wherein modifying the end time includes one of: extending the end time, or reducing the end time. ([0077]: In a process relating to a time range over which data on a network packet is acquired, the time-range change part 113 sets or changes (e.g. modifying an end time), where 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin and Farmer. One would have been motivated to do so because some events may require longer capture time because its complexity or criticality, such as an attempted security breach or attack. It is desirable for an interface for inputting a time range of the times t1 to t3 and inputting data-collection-destination base information, to a user or an application so that a collection rage of the packet collection target data and the data collection destination can be defined or changed. As taught by Oda, [0091].

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Farmer (US 20160112287 A1), and further in view of Claudatos (US 20080159146 A1).
Regarding claim 14, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose further comprising: receiving a search query including one or more search criteria; executing the search query to identify one or more ephemeral event streams satisfying the one or more search criteria. 
However, Claudatos teaches further comprising: receiving a search query including one or more search criteria; executing the search query to identify one or more ephemeral event streams satisfying the one or more search criteria. ([0040]: Various methods and formats may be used for logging data derived from the network traffic (e.g. events). The database may be used to all the relevant data (e.g. can include the events of the ephemeral event streams) as well as additional data derived and/or extracted from the traffic itself so that the record can be easily searched.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin and Farmer. One would have been motivated to do so because even if the entire traffic data were retained, there is no method to efficiently and effectively search the data. There is a need, therefore, for an improved method, article of manufacture, and apparatus for monitoring network traffic. As taught by Claudatos, [0004]-[0005].

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Farmer (US 20160112287 A1), and further in view of Seering (US 20150178342 A1).
Regarding claim 15, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose wherein timestamped events in the ephemeral event stream are searchable using a late-binding schema. 
However, Seering teaches wherein timestamped events in the ephemeral event stream are searchable using a late-binding schema. ([0010]: the user-defined logic may be registered with the database meta-data, such that the loading of the data may be deferred to query time, which is also known as “late binding.” In one regard, late binding enables federated use of the user-defined data sources, for instance, the ability to run SQL queries directly over data stored in 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin and Farmer. One would have been motivated to do so because late binding is well known method used for query database. In one regard, late binding enables federated use of the user-defined data sources, for instance, the ability to run SQL queries directly over data stored in HDFS. As taught by Seering, [0010].

Claims 21-22 and 25-26 are rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Farmer (US 20160112287 A1), and further in view of Tamayo (US 20140279824 A1).
Regarding claim 21, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose causing display of a graphical user interface (GUI) including a visualization of a metric related to the ephemeral event stream.
However, Tamayo teaches causing display of a graphical user interface (GUI) including a visualization of a metric related to the ephemeral event stream. (Fig 1 and Fig 7)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin and Farmer to include above limitation. One would have been motivated to do so because in order to be able to efficiently present snapshots of the multidimensional data to the user so that the user can visualize the data. As taught by Tomayo, [0002]-[0004].


Dugatkin and Farmer do not explicitly disclose further comprising causing display of a graphical user interface (GUI) including event stream information for a plurality of ephemeral event streams, the event stream information including a plurality of inline visualizations of a metric associated with each of the plurality of ephemeral event streams.
However, Tamayo teaches further comprising causing display of a graphical user interface (GUI) including event stream information for a plurality of ephemeral event streams, the event stream information including a plurality of inline visualizations of a metric associated with each of the plurality of ephemeral event streams. (Fig 1 and Fig 7)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin and Farmer to include above limitation. One would have been motivated to do so because in order to be able to efficiently present snapshots of the multidimensional data to the user so that the user can visualize the data. As taught by Tomayo, [0002]-[0004].

Regarding claim 25, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose causing display of a graphical user interface (GUI) including event stream information for a plurality of ephemeral event streams including the ephemeral event stream, the event stream information including an aggregated metric for the plurality of ephemeral event streams.
However, Tamayo teaches causing display of a graphical user interface (GUI) including event stream information for a plurality of ephemeral event streams including the ephemeral event stream, the event stream information including an aggregated metric for the plurality of 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin and Farmer to include above limitation. One would have been motivated to do so because in order to be able to efficiently present snapshots of the multidimensional data to the user so that the user can visualize the data. As taught by Tomayo, [0002]-[0004].

Regarding claim 26, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose causing display of a graphical user interface (GUI) including a graph of a metric associated with the ephemeral event stream, wherein the graph of 78 Attorney Docket No. 1015SP0055.12US.C5the metric is updated as additional timestamped event data associated with the ephemeral event stream is received.
However, Tamayo teaches causing display of a graphical user interface (GUI) including a graph of a metric associated with the ephemeral event stream, wherein the graph of 78 Attorney Docket No. 1015SP0055.12US.C5the metric is updated as additional timestamped event data associated with the ephemeral event stream is received. ([0080]: The expression of indicator causes the time-sensitive cube data system to sum or aggregate the total loan value of loans within the respective dimensions.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin and Farmer to include above limitation. One would have been motivated to do so because in order to be able to efficiently present snapshots of the multidimensional data to the user so that the user can visualize the data. As taught by Tomayo, [0002]-[0004].

Claim 24 is rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Farmer (US 20160112287 A1), and further in view of Njemanze (US 8365278 B1).
Regarding claim 24, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose causing display of a graphical user interface (GUI) including event stream information for the ephemeral event stream, the event stream information including an indication of a number of notable events associated with the ephemeral event stream.
However, Njemanze teaches causing display of a graphical user interface (GUI) including event stream information for the ephemeral event stream, the event stream information including an indication of a number of notable events associated with the ephemeral event stream. (Column 9 lines 16-19: the agent can collect duplicate alerts but send only a single message with a count of the total number of such alerts to the manager)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin and Farmer to include above limitation. One would have been motivated to do so because Regardless of whether a host-based or a network-based implementation is adopted and whether that implementation is knowledge-based or behavior-based, an intrusion detection system is only as useful as its ability to discriminate between normal system usage and true intrusions (accompanied by appropriate alerts). Accordingly, what is needed is a system that can provide accurate and timely intrusion detection and alert generation so as to effectively combat attempts to compromise a computer network or system. As taught by Njemanze, Column 2 lines 10-23.

Claim 27 is rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Farmer (US 20160112287 A1), and further in view of Markos (US 20050267967 A1).
Regarding claim 27, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose wherein generating the configuration information includes creating a file including the settings to be used by the remote capture agent to generate the ephemeral event stream.
However, Markos teaches wherein generating the configuration information includes creating a file including the settings to be used by the remote capture agent to generate the ephemeral event stream. (Abstract: The plurality of events can be traced and/or monitored for one host or for a plurality of hosts coupled via the same network interface. The sets of events to be traced/monitored for a host are defined by the host and maintained in one or more configuration files.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin and Farmer to include above limitation. One would have been motivated to do so because a need exists for a capability that facilitates the analysis of network data received across a single interface. For example, a need exists for a capability that allows the tracing of one specific set of events for one host and the tracing of a different set of events for another host at substantially the same time. As taught by Markos, [0003].

Claim 28 is rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Farmer (US 20160112287 A1), and further in view of Zhang (US 20120197934 A1).
Regarding claim 28, Dugatkin and Farmer teach the method of claim 1.
Dugatkin and Farmer do not explicitly disclose wherein the identifier of the network protocol is used by the remote capture agent to assemble network packets into a packet flow based on the network protocol.
However, Zhang teaches wherein the identifier of the network protocol is used by the remote capture agent to assemble network packets into a packet flow based on the network protocol. ([0045]: FIG. 2 illustrates a block diagram of at least one embodiment of indexing engine 125. Indexing engine 125 receives MD from ingestion engine 120 and breaks the data into events. Indexing engine 125 can associate a time stamp with each event and also segment the events.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin and Farmer to include above limitation. One would have been motivated to do so because conventional search systems are inefficient at handling real-time searches. It is desirable for an improved method for enabling searching and reporting of machine data in real time and/or non-real time. As taught by Zhang, [0006] and [0026].

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZI YE whose telephone number is (571)270-1039.  The examiner can normally be reached on Monday - Friday, 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel Moise can be reached on 5712723865.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/ZI YE/Primary Examiner, Art Unit 2455