DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Response to Amendment
	In the amendment filed on 4/15/2021, claims 1-5, 7-12, and 14-20 have been amended. Claim 6 is cancelled. Claim 21 is added. The currently pending claims considered below are claims 1-5 and 7-21.


EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Applicant’s representative Paul Smith (Reg. # 64,121) on 5/18/2021.

AMENDMENTS TO THE CLAIMS
This listing of claims will replace all prior versions and listings of claims in the application:
LISTING OF CLAIMS:
1.	(Currently amended) A non-transitory computer readable medium storing instructions which, when executed by one or more hardware processors, cause performance of operations comprising:
identifying, from a data stream, a first plurality of events that occur during a first time interval on a set of nodes in a computing environment;
ordering the events, in the first plurality of events, in an event distribution;
partitioning the first plurality of events into a plurality of clusters based on respective characteristics of each event in the first plurality of events;
wherein partitioning the first plurality of events into the plurality of clusters comprises:
selecting a cluster count limit for each particular cluster of the plurality of clusters based at least on positions of events, in a particular cluster, on the event data distribution;
wherein (a) events in a first cluster of the plurality of clusters are less than a particular distance from and (b) events in a second cluster of the plurality of clusters are more than the particular distance from the center of the event data distribution;
wherein a first cluster count limit for the first cluster is larger than a second cluster count limit for the second cluster; and


2.	(previously presented) The medium of claim 1, wherein the operations further comprise: 
identifying a second plurality of events occurring during a second time interval on the set of nodes; and  
merging the first plurality of events and the second plurality of events.

3.	(Currently amended) The medium of claim 2, wherein the merging comprises:
determining that at least some of the events in the first cluster of the plurality of events shares one or more attributes with a set of events in the second plurality of events;
generating a merged cluster comprising the first cluster and the set of events in the second cluster by generating a combined event count comprising a first event count associated with the first cluster and a second event count associated with the set of events in the second cluster; and
adding a first descriptor count associated with a first cluster event descriptor and a second descriptor count associated with a second event descriptor associated with the set of events in the second plurality of events to generate a third descriptor count associated with events of the merged 



5.	(previously presented) The medium of claim 3, wherein the operations further comprise:
subsequent to adding the first descriptor count to the second descriptor count and prior to generating the merged cluster, discarding event-specific information corresponding to the first event.

6.	(canceled) 

7.	(Currently amended) The medium of Claim 1, wherein the operations further comprise:
generating an interactive visualization that includes a plurality of interactive graphical objects, wherein each of the plurality of interactive graphical objects represents a cluster of the plurality of 
receiving, via the visualization, the user input selecting a subsection of the visualization that includes a subset of the plurality of interactive graphical objects; and
responsive to the selection, displaying a set of event descriptors corresponding to one or more 

8.	(Currently amended) A method comprising:
identifying, from a data stream, a first plurality of events that occur during a first time interval on a set of nodes in a computing environment;
ordering the events, in the first plurality of events, in an event distribution;
partitioning the first plurality of events into a plurality of clusters based on respective characteristics of each event in the first plurality of events;
wherein partitioning the first plurality of events into the plurality of clusters comprises:
selecting a cluster count limit for each particular cluster of the plurality of clusters based at least on positions of events, in a particular cluster, on the event data distribution;
wherein (a) events in a first cluster of the plurality of clusters are less than a particular distance from and (b) events in a second cluster of the plurality of clusters are more than the particular distance from the center of the event data distribution;
wherein a first cluster count limit for the first cluster is larger than a second cluster count limit for the second cluster; and
responsive to receiving user input requesting to view a data set comprising the first cluster, displaying information about one or more event descriptors from the first 

9.	(previously presented) The method of claim 8, further comprising:

merging the first plurality of events and the second plurality of events.

10.	(Currently amended) The method of claim 9, wherein the merging comprises:
determining that at least some of the events in the first cluster of the plurality of events shares one or more attributes with a set of events in the second plurality of events;
generating a merged cluster comprising the first cluster and the set of events in the second cluster by generating a combined event count comprising a first event count associated with the first cluster and a second event count associated with the set of events in the second cluster; and
adding a first descriptor count associated with a first cluster event descriptor and a second descriptor count associated with a second event descriptor  associated with the set of events in the second plurality of events to generate a third descriptor count associated with events of the merged 

11.	(previously presented) The method of claim 9, wherein merging the first plurality of events with the second plurality of events is based on event counts and descriptor counts without the use of event-specific information for individual events in the first plurality of events and the second plurality of events.

12.	(previously presented) The method of claim 10, further comprising:


13.	(original) The method of claim 12, wherein the event-specific information includes a timestamp associated with the first event.

14.	(Currently amended) The method of claim 8, further comprising:
generating an interactive visualization that includes a plurality of interactive graphical objects, wherein each of the plurality of interactive graphical objects represents a cluster of the plurality of 
receiving, via the visualization, the user input selecting a subsection of the visualization that includes a subset of the plurality of interactive graphical objects; and
responsive to the selection, displaying a set of event descriptors corresponding to one or more clusters of the plurality of 

15.	(Currently amended) A system comprising:
at least one device including a hardware processor; and
the system being configured to perform operations comprising: 
identifying, from a data stream, a first plurality of events that occur during a first time interval on a set of nodes in a computing environment;
ordering the events, in the first plurality of events, in an event distribution;

wherein partitioning the first plurality of events into the plurality of clusters comprises:
selecting a cluster count limit for each particular cluster of the plurality of clusters based at least on positions of events, in a particular cluster, on the event data distribution;
wherein (a) events in a first cluster of the plurality of clusters are less than a particular distance from and (b) events in a second cluster of the plurality of clusters are more than the particular distance from the center of the event data distribution;
wherein a first cluster count limit for the first cluster is larger than a second cluster count limit for the second cluster that are more than the threshold distance from the center of the event data distribution; and
responsive to receiving user input requesting to view a data set comprising the first cluster, displaying information about one or more event descriptors from the first 

16.	(previously presented) The method of claim 15, further comprising:

merging the first plurality of events and the second plurality of events.

17.	(Currently amended) The method of claim 16, wherein the merging comprises:
determining that at least some of the events in the first cluster of the plurality of events shares one or more attributes with a set of events in the second plurality of events;
generating a merged cluster comprising the first cluster and the set of events in the second cluster by generating a combined event count comprising a first event count associated with the first cluster and a second event count associated with the set of events in the second cluster; and
adding a first descriptor count associated with a first cluster event descriptor and a second descriptor count associated with a second event descriptor associated with the set of events in the second plurality of events to generate a third descriptor count associated with events of the merged 

18.	(previously presented) The method of claim 16, wherein merging the first plurality of events with the second plurality of events is based on event counts and descriptor counts without the use of event-specific information for individual events in the first plurality of events and the second plurality of events.

19.	(Currently amended) The method of claim 15, further comprising:

receiving, via the visualization, the user input selecting a subsection of the visualization that includes a subset of the plurality of interactive graphical objects; and
responsive to the selection, displaying a set of event descriptors corresponding to one or more clusters of the first plurality of 

20.	(previously presented) A non-transitory computer readable medium comprising instructions which, when executed by one or more hardware processors, cause performance of operations comprising:
generating and displaying a graph of a plurality of event clusters representing a plurality of events detected in a data set, wherein the events of the plurality of events are ordered according to an event distribution and wherein the plurality of event clusters result from clustering events in a first-pass clustering phase; 
wherein the graph indicates a relative size of each event cluster of the plurality of event clusters and a location of each event cluster relative to the event distribution, wherein the first-pass clustering phase produces clusters of unequal sizes, wherein a first set of clusters having a number of events above a threshold size are located in a center portion of the event distribution and a second set of clusters having a number of events below the threshold size are located one or both of a leading edge or a trailing edge of the event distribution, and further 
wherein, for one or more larger clusters of the plurality of clusters, the second-pass clustering phase limits a number of lower-level larger clusters that can be identified; 
wherein the graph displays information about each event descriptor of a plurality of event descriptors in a particular event cluster of the plurality of event clusters, wherein the plurality of event descriptors result from clustering events within the particular event cluster in the second-pass clustering phase;
wherein the displayed information includes one or more of:
a number of events having the particular event descriptor, optionally represented as a size, or 
a summary of one or more characteristics of the plurality of characteristics that distinguish the particular event descriptor from one or more other displayed event descriptors;
whereby the graph provides fine-grained information about distinct characteristics of smaller clusters in a dataset while limiting information displayed about the lower-level larger clusters within the dataset.

21.	(previously presented) The medium of claim 1, wherein the operations further comprise:

wherein a first event descriptor limit for the first cluster is larger than a second event descriptor limit for the second cluster;
merging event descriptors for events in the first cluster until the first event descriptor limit is reached; and
merging event descriptors for events in the second cluster until the second event descriptor limit is reached.



Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
The prior art of record, Hsiao (US Publication 2015/0293954 A1) teach analogous art to the instant application, that of statistical analysis of event streams. However, after careful consideration of the claim amendments and response (pages 2-14) filed on 4/15/2021 and the telephone interviews held on 4/14/2021 and 5/18/2021, the applicant’s representative specifically pointed out how the claim amendments overcome the prior art of record, particularly the prior art of Hsiao teaching grouping and managing captured event stream data to provide event data statistics based on subset of event streams, extraction rules, and event attributes, but does not explicitly indicate partitioning plurality of events into clusters by selecting a cluster count limit for clusters based on positions of 
The feature of partitioning events into clusters is disclosed in claim 1 that recites wherein partitioning the first plurality of events into the plurality of clusters comprises: selecting a cluster count limit for each particular cluster of the plurality of clusters based at least on positions of events, in a particular cluster, on the event data distribution; wherein (a) events in a first cluster of the plurality of clusters are less than a particular distance from a center of the event data distribution and (b) events in a second cluster of the plurality of clusters are more than the particular distance from the center of the event data distribution; wherein a first cluster count limit for the first cluster is larger than a second cluster count limit for the second cluster;”. And similarly in claims 8, 15, and 20. Consequently, independent claims 1, 8, 15, and 20 and dependent claims 2-5, 7, 9-14, 16-19, and 21 are allowable over the prior art.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Hsiao (US Publication 2019/0294598 A1)
Cammert (US Publication 2014/078163 A1)
Keren (US Publication 2019/0294781 A1)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANGELINO N GORTAYO whose telephone number is (571)272-7204.  The examiner can normally be reached on Monday-Friday 7:00am - 3:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Fred Ehichioya can be reached on 571-272-4034.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private 






/DANGELINO N GORTAYO/Primary Examiner, Art Unit 2168