Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Detailed Action

The instant application having Application No. 15/360,449 has claims 1-22 pending in the application filed on 11/23/2016, there are 3 independent claims and 19 dependent claims, all of which are ready for examination by the examiner.  The applicant added a new claim 22 (dated 02/26/2021).  

Acknowledgement Of References Cited By Applicant

As required by M.P.E.P.  609(C), the applicant’s submissions of the Information Disclosure Statements dated December 18, 2020, March 3, 2021 and March 31, 2021 are acknowledged by the examiner and the cited references have been considered in the examination of the claims now pending. As required by M.P.E.P 609 C (2), a copy of the PTOL-1449 initialed and dated by the examiner are attached to the instant office action.

Response to Arguments

This Office Action is in response to applicant’s communication filed on February 26, 2021 in response to PTO Office Action dated August 28, 2020.  The Applicant’s remarks and amendments to the claims and/or specification were considered with the results that follow.


Claim Rejections


Claim Rejections - 35 USC § 103

 35 USC § 103 Rejection of claims 1-21

Applicant's arguments filed on 02/26/2021 with respect to the claims 1-21 have been fully considered but are moot because the arguments do not apply to any of the references being used in the current rejection.



Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Govrin et al (US PGPUB 20030084053) in view of Peterson Glenn R (US PGPUB 20100185618) and in further view of Xu et al (US PGPUB 20190317947). 

As per claim 1:
Govrin teaches:
“A method performed by a data processing system for processing data, the method including” Paragraph [0010] (method for analyzing and effectively distributing large quantities of data includes)) 
“intermittently receiving data from one or more data streams, the received data including data records” (Paragraph [0073] (listeners are system specific adaptors that capture external messages from different messaging systems, such as email, chat, instant messaging, online transactions and other data streams)) 
“for at least one detected data record included in the collection of data records, wherein the at least one detected data record is associated with a particular time” (Paragraph [0021] and Paragraph [0105]) (process huge quantities of records from any external data source (which includes streams), identifying those that may be relevant and discarding the others by using rules defined by users (which may include associated with particular time)))
 “processing the modified data record by applying one or more rules to the modified data record” Paragraph [0095] and Paragraph [0098] (providing a means for analyzing massive volumes of data and allowing active intelligence to incorporate data that has been drawn from the system in its rules))
“based on applying the rules, writing to memory one or more instructions for initiation of one or more actions” (Paragraph [0082] (the solver component utilizes the data stored in the MDPDS to solve the user-defined rules in the most efficient way))
“and publishing the one or more instructions to a queue for initiation of the one or more actions” (Paragraph [0100]  (delivers actionable messages directly to the most suitable recipients, based on the defined rules)).
Govrin does not EXPLICITLY discloses: as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier; for that particular identifier, creating a collection of data records that include the detected two or more data records; searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier; accessing second data from a field in the at least one detected data record associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation; and combining the second data included in the accessed field of the at least one detected data record that is keyed based on the same particular identifier, with the historical aggregation of data that is keyed based on the same particular identifier to produce combined data keyed based on the same particular identifier; modifying a data record that is keyed based on the same particular identifier by inserting the combined data keyed based on the same particular identifier into a field of the data record and by inserting data from at least one of the data records in the collection into another field of the data record.
However, Peterson teaches:
“as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier” (Paragraph [0024] and Paragraph [0026] (the aggregation framework receives the individual data records and processes the data records into aggregation collections where each record in an aggregation collection is identified by a unique resultant key))
“for that particular identifier, creating a collection of data records that include the detected two or more data records” Paragraph [0027] and (Paragraph [0028] (one or more aggregations may be created where an aggregation collection description includes keys which include key categories in which data records or data aggregations may be identified))
“modifying a data record that is keyed based on the same particular identifier by inserting the combined data keyed based on the same particular identifier into a field of the data record and by inserting data from at least one of the data records in the collection into another field of the data record” (Paragraph [0026] and Paragraph [0028] (each record in an aggregation collection is identified by a unique resultant key derived from fields in the data record and one or more aggregations may be created, each aggregation presenting information derived from a number of data records)).
Also, Xu teaches:
 “searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams” (Paragraph [0069], Paragraph [0183] and Paragraph [0252] (the system enables users to run queries against the stored data of the data streams to  retrieve events that meet criteria specified in a query, such as containing certain keywords or having specific values in defined fields and summary (aggregation) data may be created and used to improve the ability of indexers to process search queries where the summary (aggregation) data may store one or more "pre-computed" results for a search query))
“wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period” (Paragraph [0171], Paragraph [0243], and Paragraph [0244] (to perform a search against data stored by cluster, a search head may first obtain information from master node, including a list of active indexers of the cluster and a generation identifier where each indexer receiving the search query may use the generation identifier to identify which generation mapping to consult when searching the buckets stored by the indexer and system stores events in buckets covering specific time ranges or periods, then producing the summaries that can save the work involved in running the query for previous time periods (prior time periods)))
“with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams” (Paragraph [0170], Paragraph [0171] and Paragraph [0243] (where the query seeks events meeting specified criteria, a summary for the time period includes only events within the time period that meet the specified criteria, storing events in buckets covering specific time ranges, then the summaries can be generated on a bucket-by-bucket basis, producing intermediate summaries can save the work involved in running the query for previous time periods and a generation identifier identifies a particular generation mapping which indicates, for each grouped subset of data stored by indexers of the cluster))
“and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier” (Paragraph [0171] and Paragraph [0243] (during each scheduled report update, the query engine determines whether intermediate summaries have been generated covering portions of the time period covered by the report update, producing intermediate summaries can save the work involved in running the query for previous time periods, so advantageously only the newer event data needs to be processed while generating an updated report and a generation identifier identifies a particular generation mapping which indicates, for each grouped subset of data stored by indexers of the cluster))
“accessing second data from a field in the at least one detected data record associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation” (Paragraph [0171], Paragraph [0240] and Paragraph [0243] (during each scheduled report update, the query engine determines whether intermediate summaries have been generated covering portions of the time period covered by the report update, advantageously only the newer event data needs to be processed while generating an updated report, each generation may be identified by a unique generation identifier represented, a first generation may be represented by a generation identifier of zero, a second generation represented by a generation identifier of one for each grouped subset of data stored by indexers of the cluster, which of the indexers is the primary indexer and which indexers are secondary indexers (second data)))
“and combining the second data included in the accessed field of the at least one detected data record that is keyed based on the same particular identifier, with the historical aggregation of data that is keyed based on the same particular identifier to produce combined data keyed based on the same particular identifier” (Paragraph [0165], Paragraph [0167] and Paragraph [0168] (the system needs to process all events that have a specific field-value combination, the system can use the references in the summarization table entry to directly access the events to extract further information without having to search all of the events to find the specific field-value combination at search time, the summarization table can be populated by running a periodic query that scans a set of events to find instances of a specific field-value combination and these additional results can then be combined with the partial results to produce a final set of results for the query)).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Govrin, Peterson and Xu for “as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier; for that particular identifier, creating a collection of data records that include the detected two or more data records; searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier; accessing second data from a field in the at least one detected data record associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation; and combining the second data included in the accessed field of the at least one detected data record that is keyed based on the same particular identifier, with the historical aggregation of data that is keyed based on the same particular identifier to produce combined data keyed based on the same particular identifier; modifying a data record that is keyed based on the same particular identifier by inserting the combined data keyed based on the same particular identifier into a field of the data record and by inserting data from at least one of the data records in the collection into another field of the data record” as it will efficiently control and provide data aggregation in a flexible method that supports a large or potential large volume of data (Peterson, Paragraph [0007]), the report generator allows the user to specify one or more fields within events,  apply statistical analysis on values extracted from the specified one or more fields and may aggregate search results across sets of events) (Xu, Paragraph [0147]) . 
Therefore, it would have been obvious to combine Govrin, Peterson and Xu.

As per claim 2:
Govrin, Peterson and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“wherein inserting the data from the at least one of the data records in the collection into the other field of the data record includes” (Paragraph [0046] (the combination of date warehouse repositories and external data sources results in the creation of active Intelligence as a layer))
“inserting data from the at least one detected data record included in the collection into the other field of the data record modified by inserting” (Paragraph [0080] (parameters are business accumulators that are wrapped in a multi-dimensional indexing cover and hold logic that describes the way they are updated and the type of data they hold)).

As per claim 3:
Govrin, Peterson and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“wherein the collection of data records is a first data record including data from the data records, and wherein the method further includes” (Paragraph [0075] (the feeder may combine various fltering Rules in order to find the minimal necessary set or required data))
 “collecting a plurality of data records” (Paragraph [0021] (process huge quantities of records per second from any external data source)).
“and augmenting the first data record with the combined data for the at least one detected data record” (Paragraph [0046] (the combination of date warehouse repositories and external data sources results in the creation of active Intelligence is positioned as a layer between the organization's data sources)).
Also Peterson teaches:
“publishing the data records to a single queue” (Paragraph [0077] (the next input datum or data record in a queue of data records is processed))
“from the queue, detecting the two or more data records” (Paragraph [0033] (included in data records are one or more data records))
“joining together the detected two or more data records into the first data record, with the detected two or more data records including data representing different types of events” (Paragraph [0024] (aggregation framework receives one or more aggregation parameter sets that define how received data records are combined and presented as aggregation collections)).

As per claim 4:
Govrin, Peterson and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“wherein the prior time period is a time prior to performance of the detecting” (Paragraph [0011] (historical data can be thereby be utilized to enable vastly improved decision-making opportunities for current events)).

As per claim 5:
Govrin, Peterson and Xu teach the method as specified in the parent claim 3 above. 
Govrin further teaches:
“attaching, to the first data record, customer profile data for a customer associated with a particular event included in the first data record” (Paragraph [0020] (a set of rules that define a way to detect fraud in a financial transaction system, based on parameters such as client profiles))
“and attaching to the first data record an appendable lookup file (ALF) with a historical aggregation for the particular event” (Paragraph [0073] (loaders are system specific drivers that load static data from external sources such as relational databases and flat files on request)).

As per claim 6:
Govrin, Peterson and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“further including: adding incremental data to the historical aggregation, with the incremental data including data from a time at which the historical aggregation was computed to a near present time that is within a minute of the present time” (Paragraph [0038], Paragraph [0046] and Paragraph [0054] (the combination of date warehouse repositories and extrenal data sources results in the creation of active Intelligence in real-time where real-time refers to the rapid execution of requests with no significant delay))
“and producing, based on the adding of the incremental data, a near real-time aggregation of the data” (Paragraph [0047] (managing the execution of real-time analytical models within operational processes leveraging data from a variety of transactional and historical sources to guide the optimal execution of that process)).

As per claim 7:
Govrin, Peterson and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“receiving, from a client device of a user, data representing one or more rules defining an application” (Paragraph [0096] (users can easily interface with the GUI, to input sophisticated decision rules))
“generating, based on the received data, the one or more rules that define the application” (Paragraph [0020] (analytical models are user-defined rules that require a high level of complex analytics capabilities in order to be executed))
“and implementing, based on executing the one or more rules, the application against the one or more data streams intermittently received” (Paragraph [0016] (a solver component for filtering the data from the MDPDS according to the user defined rules))

As per claim 8:
Govrin, Peterson and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“wherein receiving the one or more data streams includes: receiving a first data stream with data representing a first type of event” (Paragraph [0073] and Paragraph [0075] (listeners are system specific adaptors that capture external messages from different data streams and data representing for each event))
“and receiving a second data stream with data representing a second type of event” (Paragraph [0122] (identifies the occurrence of business events according to set business rules in order to understand whether the transaction or event that took place is in fact significant)).

As per claim 9:
Govrin, Peterson and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“further including executing one or more applications against a published action trigger included in the one or more instructions” (Paragraph [0089] and Paragraph [0125] (certain operational data indicates the occurrence of a monitored event or certain thresholds are exceeded , the platform triggers the distribution functions, sending the message to the most relevant individual/s or system/s)).

As per claim 10:
Govrin, Peterson and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“wherein a data record includes an event” (Paragraph [0038] (collect, filter and analyze huge quantities of data, by defining rules to identify key events)).

As per claim 11:
Govrin, Peterson and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“wherein searching includes searching in a data repository or searching in-memory” (Paragraph [0006] (data warehouse systems are central repositories for all or significant parts of the data that an enterprise's various business systems collect and data from data warehouse repositories is searched by user queries)).

As per claim 12:
Govrin teaches:
“A data processing system for processing data including” Paragraph [0010] (system for analyzing and effectively distributing large quantities of data includes)) 
 “intermittently receiving data from one or more data streams, the received data including data records” (Paragraph [0073] (loaders are system specific drivers that load static data from external sources consisting of data records and listeners are system specific adaptors that capture external messages from different messaging systems, such as email, chat, instant messaging, online transactions and other data streams)) 
“for at least one detected data record included in the collection of data records, wherein the at least one detected data record is associated with a particular time” (Paragraph [0021] and Paragraph [0105]) (process huge quantities of records from any external data source (which includes streams), identifying those that may be relevant and discarding the others by using rules defined by users (which may include associated with particular time) 
“processing the modified data record by applying one or more rules to the modified data record” (Paragraph [0095] and Paragraph [0098] (providing a means for analyzing massive volumes of data and allowing active intelligence to incorporate data that has been drawn from the system in its rules))
“based on applying the rules, writing to memory one or more instructions for initiation of one or more actions” (Paragraph [0082] (the solver component utilizes the data stored in the MDPDS to solve the user-defined rules in the most efficient way))
“and publishing the one or more instructions to a queue for initiation of the one or more actions” (Paragraph [0100] (delivers actionable messages directly to the most suitable recipients, based on the defined rules)).
Govrin does not EXPLICITLY teaches: “one or more processors; and one or more machine-readable hardware storage devices storing instructions that are executable to cause the one or more processors to perform operations including; as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier; for that particular identifier, creating a collection of data records that include the detected two or more data records; searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier; accessing second data from a field in the at least one detected data record associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation; and combining the second data included in the accessed field of the at least one detected data record that is keyed based on the same particular identifier, with the historical aggregation of data that is keyed based on the same particular identifier to produce combined data keyed based on the same particular identifier; modifying a data record that is keyed based on the same particular identifier by inserting the combined data keyed based on the same particular identifier into a field of the data record and by inserting data from at least one of the data records in the collection into another field of the data record.
However, Peterson teaches:
“one or more processors” Paragraph [0064] (one or more processors)) 
“and one or more machine-readable hardware storage devices storing instructions that are executable to cause the one or more processors to perform operations including” Paragraph [0064] (in the context of software, the blocks represent computer instructions that, when executed by one or more processors, perform the recited operations)) 
“as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier” (Paragraph [0024] and Paragraph [0026] (the aggregation framework receives the individual data records and processes the data records into aggregation collections where each record in an aggregation collection is identified by a unique resultant key))
“for that particular identifier, creating a collection of data records that include the detected two or more data records” Paragraph [0027] and (Paragraph [0028] (one or more aggregations may be created where an aggregation collection description includes keys which include key categories in which data records or data aggregations may be identified))
“modifying a data record that is keyed based on the same particular identifier by inserting the combined data keyed based on the same particular identifier into a field of the data record and by inserting data from at least one of the data records in the collection into another field of the data record” (Paragraph [0026] and Paragraph [0028] (each record in an aggregation collection is identified by a unique resultant key derived from fields in the data record and one or more aggregations may be created, each aggregation presenting information derived from a number of data records)).
Also, Xu teaches:
 “searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams” (Paragraph [0069], Paragraph [0183] and Paragraph [0252] (the system enables users to run queries against the stored data of the data streams to  retrieve events that meet criteria specified in a query, such as containing certain keywords or having specific values in defined fields and summary (aggregation) data may be created and used to improve the ability of indexers to process search queries where the summary (aggregation) data may store one or more "pre-computed" results for a search query))
“wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period” (Paragraph [0171], Paragraph [0243], and Paragraph [0244] (to perform a search against data stored by cluster, a search head may first obtain information from master node, including a list of active indexers of the cluster and a generation identifier where each indexer receiving the search query may use the generation identifier to identify which generation mapping to consult when searching the buckets stored by the indexer and system stores events in buckets covering specific time ranges or periods, then producing the summaries that can save the work involved in running the query for previous time periods (prior time periods)))
“with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams” (Paragraph [0170], Paragraph [0171] and Paragraph [0243] (where the query seeks events meeting specified criteria, a summary for the time period includes only events within the time period that meet the specified criteria, storing events in buckets covering specific time ranges, then the summaries can be generated on a bucket-by-bucket basis, producing intermediate summaries can save the work involved in running the query for previous time periods and a generation identifier identifies a particular generation mapping which indicates, for each grouped subset of data stored by indexers of the cluster))
“and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier” (Paragraph [0171] and Paragraph [0243] (during each scheduled report update, the query engine determines whether intermediate summaries have been generated covering portions of the time period covered by the report update, producing intermediate summaries can save the work involved in running the query for previous time periods, so advantageously only the newer event data needs to be processed while generating an updated report and a generation identifier identifies a particular generation mapping which indicates, for each grouped subset of data stored by indexers of the cluster))
“accessing second data from a field in the at least one detected data record associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation” (Paragraph [0171], Paragraph [0240] and Paragraph [0243] (during each scheduled report update, the query engine determines whether intermediate summaries have been generated covering portions of the time period covered by the report update, advantageously only the newer event data needs to be processed while generating an updated report, each generation may be identified by a unique generation identifier represented, a first generation may be represented by a generation identifier of zero, a second generation represented by a generation identifier of one for each grouped subset of data stored by indexers of the cluster, which of the indexers is the primary indexer and which indexers are secondary indexers (second data)))
“and combining the second data included in the accessed field of the at least one detected data record that is keyed based on the same particular identifier, with the historical aggregation of data that is keyed based on the same particular identifier to produce combined data keyed based on the same particular identifier” (Paragraph [0165], Paragraph [0167] and Paragraph [0168] (the system needs to process all events that have a specific field-value combination, the system can use the references in the summarization table entry to directly access the events to extract further information without having to search all of the events to find the specific field-value combination at search time, the summarization table can be populated by running a periodic query that scans a set of events to find instances of a specific field-value combination and these additional results can then be combined with the partial results to produce a final set of results for the query)).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Govrin, Peterson and Xu for “one or more processors; and one or more machine-readable hardware storage devices storing instructions that are executable to cause the one or more processors to perform operations including; as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier; for that particular identifier, creating a collection of data records that include the detected two or more data records; searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier; accessing second data from a field in the at least one detected data record associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation; and combining the second data included in the accessed field of the at least one detected data record that is keyed based on the same particular identifier, with the historical aggregation of data that is keyed based on the same particular identifier to produce combined data keyed based on the same particular identifier; modifying a data record that is keyed based on the same particular identifier by inserting the combined data keyed based on the same particular identifier into a field of the data record and by inserting data from at least one of the data records in the collection into another field of the data record” as it will efficiently control and provide data aggregation in a flexible method that supports a large or potential large volume of data (Peterson, Paragraph [0007]), the report generator allows the user to specify one or more fields within events,  apply statistical analysis on values extracted from the specified one or more fields and may aggregate search results across sets of events) (Xu, Paragraph [0147]) . 
Therefore, it would have been obvious to combine Govrin, Peterson and Xu.

As per claim 13, the claim is rejected based upon the same rationale given for the parent claim 12 and the claim 2 above.

As per claim 14, the claim is rejected based upon the same rationale given for the parent claim 12 and the claim 3 above.

As per claim 15, the claim is rejected based upon the same rationale given for the parent claim 12 and the claim 4 above.

As per claim 16, the claim is rejected based upon the same rationale given for the parent claim 12 and the claim 5 above.

As per claim 17, the claim is rejected based upon the same rationale given for the parent claim 12 and the claim 6 above.

As per claim 18:
Govrin teaches:
 “intermittently receiving data from one or more data streams, the received data including data records” (Paragraph [0073] (loaders are system specific drivers that load static data from external sources consisting of data records and listeners are system specific adaptors that capture external messages from different messaging systems, such as email, chat, instant messaging, online transactions and other data streams)) 
“for at least one detected data record included in the collection of data records, wherein the at least one detected data record is associated with a particular time” (Paragraph [0021] and Paragraph [0105]) (process huge quantities of records from any external data source (which includes streams), identifying those that may be relevant and discarding the others by using rules defined by users (which may include associated with particular time)))
 “processing the modified data record by applying one or more rules to the modified data record” (Paragraph [0095] and Paragraph [0098] (providing a means for analyzing massive volumes of data and allowing active intelligence to incorporate data that has been drawn from the system in its rules))
“based on applying the rules, writing to memory one or more instructions for initiation of one or more actions” (Paragraph [0082] (the solver component utilizes the data stored in the MDPDS to solve the user-defined rules in the most efficient way))
“and publishing the one or more instructions to a queue for initiation of the one or more actions” (Paragraph [0100] (delivers actionable messages directly to the most suitable recipients, based on the defined rules)).
Govrin does not EXPLICITLY teaches: “one or more machine-readable hardware storage devices storing instructions that are executable to cause the one or more processors to perform operations including; as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier; for that particular identifier, creating a collection of data records that include the detected two or more data records; searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier; accessing second data from a field in the at least one detected data record associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation; and combining the second data included in the accessed field of the at least one detected data record that is keyed based on the same particular identifier, with the historical aggregation of data that is keyed based on the same particular identifier to produce combined data keyed based on the same particular identifier; modifying a data record that is keyed based on the same particular identifier by inserting the combined data keyed based on the same particular identifier into a field of the data record and by inserting data from at least one of the data records in the collection into another field of the data record.
However, Peterson teaches:
“and one or more machine-readable hardware storage devices storing instructions that are executable to cause the one or more processors to perform operations including” Paragraph [0064] (in the context of software, the blocks represent computer instructions that, when executed by one or more processors, perform the recited operations)) 
“as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier” (Paragraph [0024] and Paragraph [0026] (the aggregation framework receives the individual data records and processes the data records into aggregation collections where each record in an aggregation collection is identified by a unique resultant key))
“for that particular identifier, creating a collection of data records that include the detected two or more data records” Paragraph [0027] and (Paragraph [0028] (one or more aggregations may be created where an aggregation collection description includes keys which include key categories in which data records or data aggregations may be identified))
“modifying a data record that is keyed based on the same particular identifier by inserting the combined data keyed based on the same particular identifier into a field of the data record and by inserting data from at least one of the data records in the collection into another field of the data record” (Paragraph [0026] and Paragraph [0028] (each record in an aggregation collection is identified by a unique resultant key derived from fields in the data record and one or more aggregations may be created, each aggregation presenting information derived from a number of data records)).
Also, Xu teaches:
 “searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams” (Paragraph [0069], Paragraph [0183] and Paragraph [0252] (the system enables users to run queries against the stored data of the data streams to  retrieve events that meet criteria specified in a query, such as containing certain keywords or having specific values in defined fields and summary (aggregation) data may be created and used to improve the ability of indexers to process search queries where the summary (aggregation) data may store one or more "pre-computed" results for a search query))
“wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period” (Paragraph [0171], Paragraph [0243], and Paragraph [0244] (to perform a search against data stored by cluster, a search head may first obtain information from master node, including a list of active indexers of the cluster and a generation identifier where each indexer receiving the search query may use the generation identifier to identify which generation mapping to consult when searching the buckets stored by the indexer and system stores events in buckets covering specific time ranges or periods, then producing the summaries that can save the work involved in running the query for previous time periods (prior time periods)))
“with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams” (Paragraph [0170], Paragraph [0171] and Paragraph [0243] (where the query seeks events meeting specified criteria, a summary for the time period includes only events within the time period that meet the specified criteria, storing events in buckets covering specific time ranges, then the summaries can be generated on a bucket-by-bucket basis, producing intermediate summaries can save the work involved in running the query for previous time periods and a generation identifier identifies a particular generation mapping which indicates, for each grouped subset of data stored by indexers of the cluster))
“and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier” (Paragraph [0171] and Paragraph [0243] (during each scheduled report update, the query engine determines whether intermediate summaries have been generated covering portions of the time period covered by the report update, producing intermediate summaries can save the work involved in running the query for previous time periods, so advantageously only the newer event data needs to be processed while generating an updated report and a generation identifier identifies a particular generation mapping which indicates, for each grouped subset of data stored by indexers of the cluster))
“accessing second data from a field in the at least one detected data record associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation” (Paragraph [0171], Paragraph [0240] and Paragraph [0243] (during each scheduled report update, the query engine determines whether intermediate summaries have been generated covering portions of the time period covered by the report update, advantageously only the newer event data needs to be processed while generating an updated report, each generation may be identified by a unique generation identifier represented, a first generation may be represented by a generation identifier of zero, a second generation represented by a generation identifier of one for each grouped subset of data stored by indexers of the cluster, which of the indexers is the primary indexer and which indexers are secondary indexers (second data)))
“and combining the second data included in the accessed field of the at least one detected data record that is keyed based on the same particular identifier, with the historical aggregation of data that is keyed based on the same particular identifier to produce combined data keyed based on the same particular identifier” (Paragraph [0165], Paragraph [0167] and Paragraph [0168] (the system needs to process all events that have a specific field-value combination, the system can use the references in the summarization table entry to directly access the events to extract further information without having to search all of the events to find the specific field-value combination at search time, the summarization table can be populated by running a periodic query that scans a set of events to find instances of a specific field-value combination and these additional results can then be combined with the partial results to produce a final set of results for the query)).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Govrin, Peterson and Xu for “one or more machine-readable hardware storage devices storing instructions that are executable to cause the one or more processors to perform operations including; as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier; for that particular identifier, creating a collection of data records that include the detected two or more data records; searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier; accessing second data from a field in the at least one detected data record associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation; and combining the second data included in the accessed field of the at least one detected data record that is keyed based on the same particular identifier, with the historical aggregation of data that is keyed based on the same particular identifier to produce combined data keyed based on the same particular identifier; modifying a data record that is keyed based on the same particular identifier by inserting the combined data keyed based on the same particular identifier into a field of the data record and by inserting data from at least one of the data records in the collection into another field of the data record” as it will efficiently control and provide data aggregation in a flexible method that supports a large or potential large volume of data (Peterson, Paragraph [0007]), the report generator allows the user to specify one or more fields within events,  apply statistical analysis on values extracted from the specified one or more fields and may aggregate search results across sets of events) (Xu, Paragraph [0147]) . 

As per claim 19, the claim is rejected based upon the same rationale given for the parent claim 18 and the claim 2 above.

As per claim 20, the claim is rejected based upon the same rationale given for the parent claim 18 and the claim 3 above.

As per claim 21:
Govrin, Peterson and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“based on applying one or more rules to the modified data record, detecting that a threshold value is satisfied by the combined data” (Paragraph [0038] and Paragraph [0089] (collect, filter and analyze huge quantities of data, by defining rules to identify key events and when certain thresholds are exceeded, a rule may be triggered))
“based on detecting that the threshold value is satisfied by the combined data, transmitting an alert to a user device” (Paragraph [0089], Paragraph [0142] and Paragraph [0143] (when a threshold value is exceeded, a rule is triggered and an alert may be sent to customer as SMS or E-mail)).

As per claim 22:
Govrin, Peterson and Xu teach the method as specified in the parent claim 1 above. 
Xu further teaches:
“wherein data that is keyed based on the same particular identifier includes data that is keyed indirectly based on the same particular identifier or data that is keyed directly based on the same particular identifier” (Paragraph [0115] (a keyword index to facilitate fast keyword searching for event data where the indexer includes the identified keywords in an index, which associates each stored keyword with reference pointers to events containing that keyword)).

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Guigui et al, (US PGPUB 20180225158), certain examples described herein provide a data processing system and method adapted for event processing. These examples provide for distribution of data processing operations between server computing devices. In one case, a plurality of processing stages are implemented using computing instances on the server computing devices. In this case, the computing instances are assigned to the server computing devices in order to perform at least one data processing operation in parallel. Certain examples described herein then provide for the distribution of data between computing instances such that parallelism is maintained for data processing operations. In certain cases, a composite key is used. In this case, a composite key value is computed for a set of data fields associated with a data item to be processed.
Zhang et al, (US PGPUB 20130046783), a system arranged to search machine data to generate reports in real time. A search query is provided that includes a plurality of search commands. The search query is parsed to form a main search query and a remote search query. Machine data is collected from remote data sources and evaluated against one of the main and remote search queries to generate a set of search results. The main search query is then evaluated against at least a partial set of the search result to generate at least one report regarding the collected machine data. Initially a search window is pre-populated with historical machine data related to the search query.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KAMAL K DEWAN whose telephone number is(571)-272-2196.  The examiner can normally be reached on Mon-Fri 8:00 AM – 5:00 PM (EST).  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, TONY MAHMOUDI can be reached on 571-272-4078.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Kamal K Dewan/
Examiner, Art Unit 2163

/TONY MAHMOUDI/Supervisory Patent Examiner, Art Unit 2163