Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
2.	This action is in response to the communication filed on April 14, 2021.
Response to Amendment
3.	Applicant’s amendment filed on 04/14/2021 with respect to claims 1-20 has been received, entered into record and considered.
4.	As a result of the amendment, claims 1-20 has been amended.
5.	Claims 1-20 remain pending in this office action.
Information Disclosure Statement
6.	The information disclosure statement (IDS) submitted on 04/14/2021.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
7.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper time wise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1-19 of U.S. Patent No. 10242039 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the current application (16/264610) and the patent 10242039 both directed to analyzing machine data by creating signature/token and frequency off occurrence of such signature/token in the machine data. The current application just omitted some limitations from the patented claims. Such omitting does not change the scope the invention and can perform same functionality. Therefore, the current application is not patentable over the patent 10242039 B2.
"A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 .
Claim Rejections - 35 USC § 103
8.	The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

9.	Claims 1-5, 7-15 and 17-20 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Douglas (US 2004/0049693 A1), in view of Gula et al (US 2006/0161816 A1), and further in view of Deb et al (US 7,546,234 B1). 
	As per claim 1, Douglas discloses:
	- a method, comprising (a method, Para [0001], line 1-2, “The present invention relates to network systems and, more particularly, to systems and methods for detecting attacks to network systems”), 
	- analyzing one or more tokens that appears in a portion of a set of machine data (token appears in the machine data (I.e. log file), Para [0021], [0067], Para [0119]”),
	- mapping at least one tokens to the frequency of occurrence in the portion of the set of machine data (frequently occurrence tokens are mapped in the stream of log data (i.e. duplicate signature), Para [0119]-0127], [0218]”),
- creating a sample signature using the frequency of occurrence of the at least one token (sample signature are created, Fig. 7, Para [0012], Para [0132]-[0143]”), 
- wherein the method is performed by one or more computing devices (method is performed by computer, Para [0003]”), 
	Douglas does not explicitly disclose determining a frequency of occurrence of at least one token of the one or more tokens in the portion of the set of machine data. However, in the same field of endeavor Gula in an analogous art disclose determining a frequency of occurrence of at least one token of the one or more tokens in the portion of the set of machine data (a frequency of occurrence of an event (i.e. token) in the portion of machine data (i.e. log data normalization), Para [0088]), Examiner broadest reasonable interpretation: Beside Para [0088], Para [0008], and [0065] recites events are analyzed for complex sequence (i.e. frequency of occurrence) in raw log data from various sources, such as firewall, router, web, etc.
Douglas does not explicitly disclose determining a source of the set of machine data based on a comparison of the sample signature with signatures in a set of signatures from known sources. However, in the same field of endeavor Gula in an analogous art disclose determining a source of the set of machine data based on a comparison of the sample signature with signatures in a set of signatures from known sources (source of the machine data are determined by comparing the signature, Para [0023], [0054]).
Therefore, it would have been obvious to a person of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Douglas with the teaching of Gula by modifying Douglas such that token analysis of Douglas to detect a specific event in a stream of log data using the signature matching technique of Gula for efficient analysis of events. The motivation for doing so would be detecting any event of interest from large number of log data collected from various sources in a normalize fashion, (Gula, Para [0022]).
segmenting the machine data into a plurality of events using a set of rules corresponding to the determined source thereby allowing application of time-based search phrase across the segmented machine data in the plurality of events. However, in the same field of endeavor Dev in an analogous art disclose segmenting the machine data into a plurality of events using a set of rules corresponding to the determined source thereby allowing application of time-based search phrase across the segmented machine data in the plurality of events (rules are used to segment the machine data (i.e. message), Fig. 4A-4B, column 7, line 55-65”).
Therefore, it would have been obvious to a person of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Douglas, as previously modified with Gula, with the teaching of Dev by modifying Douglas such that segmented token of a stream use to identify events associating rules. The motivation for doing so would be detecting more specific information from a stream of data in an efficient manner, (Dev, column 27, line 1-3).
As per claim 2, rejection of claim 1 is incorporated, and further Douglas discloses:
- creating a signature for a known source by creating a source signature from machine data collected from the known source; and storing the signature in the set of signatures (signature are created for collected machine data, Para [0111]- [0117], and storing the signature in the signature library (i.e. storing the signature in the set of signatures), Para [0157]”). 
As per claim 3, rejection of claim 1 is incorporated, and further Dev discloses:
	- wherein each event in the plurality of events includes a part of the set of machine data (events includes a portion (i.e. session) of machine data, column 3, line 25-30, column 7, line 5-20”).
As per claim 4, rejection of claim 1 is incorporated, and further Dev discloses:
- wherein each event in the plurality of events includes a part of the set of machine data, and wherein each event is field-searchable (event fields (i.e. tokenized keywords) are searchable, column 10, line 5-20”).
As per claim 5, rejection of claim 1 is incorporated, and further Douglas discloses:
- creating a time stamp for each event in the plurality of events by extracting time stamp information from machine data included in each event (creating time stamp for events, Para [0184], line 1-20”).
As per claim 7, rejection of claim 1 is incorporated, and further Douglas discloses:
- based on a determination that the source of the set of machine data is not known: defining a new source of the set of machine data; and creating a new signature for the new source using the sample signature (signatures are updated with new signatures, Para [0022], [0071], [0176]”).
As per claim 8, rejection of claim 1 is incorporated, and further Douglas discloses:
- based on a determination that the source of the set of machine data is not known, 27Non-provisional Patent Application setting the determined source of the set of machine data to a default source (setting the machine data as a default source, Para [0076]”).
As per claim 9, rejection of claim 1 is incorporated, and further Douglas discloses:
- determining that the set of machine data is binary machine data; converting the binary machine data into textual machine data using a process defined for the determined source (converting the machine data, Para [0149]-[0153]”).
As per claim 10, rejection of claim 1 is incorporated, and further Douglas discloses:
- determining that the set of machine data is binary machine data by comparing a number of machine data lines in the machine data that appear to be binary and a number of machine data lines in at the set of machine data that appear to be textual (comparing the machine data, Para [0056], [0218]”), 
- converting the binary machine data into textual machine data using a process defined for the determined source (and converting the machine data, Para [0149]-[0153]”).
As per claims 11-15 and 17-18,
	Claims 11-15 and 17-18 are computer readable medium claim corresponding to method claims 1-5 and 7-10 respectively, and rejected under the same reason set forth to the rejection of claim 1-5 and 7-10 above.
	As per claims 19-20, 
	Claims 19-20 are apparatus claims corresponding to method claims 1-2 respectively, and rejected under the same reason set forth to the rejection of claim 1-2 above.
10.	Claim 6 and 16 is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over 
Douglas (US 2004/0049693 A1), in view of Gula et al (US 2006/0161816 A1), and further in view of Deb et al (US 7,546,234 B1), as applied to claims 1 and 11 above, and further in view of Wold (US 2007/0074147 A1) 
As per claim 8, rejection of claim 1 is incorporated,
Combined method of Douglas, Gula and Dev does not explicitly discloses matching the sample signature to one or more signatures in the set of signatures from known sources using a nearest neighbor search. However, in the same field of endeavor Wold in an analogous art discloses matching the sample signature to one or more signatures in the set of signatures from known sources using a nearest neighbor search (matching the signature using nearest neighbor search, Para [0011], [0094]”).
Therefore, it would have been obvious to a person of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Douglas, with the teaching of Gula and dev for identifying an unknown segment of a stream data. The modification would be obvious because one having ordinary skill in the art would be motivated to provide a 
As per claim 16,
	Claim 16 is a computer readable medium claim corresponding to method claim 6 respectively, and rejected under the same reason set forth to the rejection of claim 6 above.
	Response to Arguments
11.	Applicant’s arguments filed on 04/14/2021 with respect to claims 1-20 have been considered but are moot because the new ground of rejection necessitated by the amendment to the claims. 
	In response to applicant’s argument in page 8, applicant argued that, nowhere does Douglas disclose or even contemplate using the signature to determine a source of the machine data, let alone, “determining a source of the set of machine data based on a comparison of the sample signature with signatures in a set of signatures from known sources”. Examiner disagree and respectfully response that even though Douglas teaches determining log sources using the signature as described in Para [0180], [0184], [0281]-[0285]. However after an updated search, examiner found Gula et al. Gula et al specifically teaches determining a source of the set of machine data based on a comparison of the sample signature with signatures in a set of signatures from known sources source of the machine data are determined by comparing the signature in Para [0023], [0054]. 
	In response to applicant’s argument tin page 9, applicant argued that, Douglas makes no mention of determining a frequency of occurrence of any of the alleged tokens to generate the signature or using the signatures to determine a source of machine data, let alone "determining a frequency of occurrence of at least one token of the one or more tokens in the portion of the set of machine data”. Examiner disagree and respectfully response that, pattern of fields in a log stream, Para [0119]-[0120], [0184], [0218], [0243], [0259], [0281]. However after an updated search, examiner found Gula et al. Gula et al specifically teaches determining a frequency of occurrence of at least one token of the one or more tokens in the portion of the set of machine data in Para [0088], a frequency of occurrence of an event (i.e. token) in the portion of machine data (i.e. log data), Para [0088]), Examiner broadest reasonable interpretation: Beside Para [0088], Para [0008], and [0065] recites events are analyzed for complex sequence (i.e. frequency of occurrence) in raw log data from various sources, such as firewall, router, web, etc.
	Therefore, Douglas, Gula and Dev alone or in combination, teaches the argued limitation and other limitation, as claimed.
Conclusion
12.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
				Contact Information
13.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED R UDDIN whose telephone number is (571)270-3138.  The examiner can normally be reached on M-F: 9:00 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MOHAMMED R UDDIN/
Primary Examiner, Art Unit 2167