DETAILED ACTION
This action is in response to the amendment filed on February 23, 2021.

Notice of AIA  Status
The present application, filed on or after March 01, 2013, is being examined under the first inventor to file provisions of the AIA .  In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Information Disclosure Statement
1.	The information disclosure statements (IDS) submitted on January 8, 2021, March 2, 2021 and April 14, 2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the Examiner.

Response to Arguments
2.	Applicant’s arguments dated February 23, 2021 with respect to claims 20-49 and 52, USC 103 Rejection have been considered, but are not persuasive.
	Regarding independent claim 20, Applicant argues that “Amended independent claim 20 recites the limitations of calculating a relevance score associated with a first field present in the set of fields based on at least one of a number of unique values of the first field or a number of events included in the set of field-searchable events that include the first field. None of the cited references teaches or suggests these limitations. Therefore, no logical combination of the cited references can teach or suggest each and every limitation of amended claim 20.


In the rejections of the pre-amended version of claim 20, the Examiner argues that Baker discloses techniques for providing an individual with a score indicating the relevance of content, where the individual can quickly see the relevance of page before reading the page. See Office Action at 5. Importantly, Baker does not disclose a relevance score based on a number of unique values of the first field, as now recited in amended claim 20. Further, Baker does not disclose a relevance score based on a number of events included in the set of field-searchable events that include the first field, as also now recited in amended claim 20. Consequently, Baker cannot be properly interpreted as teaching or suggesting the above limitations of amended claim 20.
A careful review of the remaining references cited by the Examiner reveals that these references also do not teach or suggest the above limitations of amended claim 20.


New claim 52 recites the limitations of determining that the relevance score associated with the first field satisfies a threshold condition; adding the field to a set of selected fields; and causing display of a graphical interface that includes the set of selected fields. None of the cited references teaches or suggest these particular limitations. Therefore, no combination of the cited references can teach or suggest each and every limitation of new claim 52.
As discussed above, Baker does not disclose any techniques for calculating a relevance score associated with a first field present in the set of fields based on at least one of a number of unique values of the first field or a number of events included in the set of field-searchable events that include the first field. Likewise, Baker does not disclose determining that the relevance score associated with the first field satisfies a threshold condition; adding the field to a set of selected fields; and causing display of a graphical interface that includes the set of selected fields, as expressly recited in new claim 52. Without any such teachings, Baker cannot be properly interpreted as teaching or suggesting the above limitations of new claim 52.  A careful review of the remaining references cited by the Examiner reveals that these references also do not teach or suggest the above limitations of new claim 52 either.
As the foregoing illustrates, no combination of the cited references teaches or suggests each and every limitation of new claim 52. For at least these reasons, Applicant submits that new dependent claim 52 is allowable over the cited references independent of its dependency on allowable claim 20.”  
	After further search and review of the references, the Office respectfully disagrees and maintains the rejection, with a re-mapping of the limitations to relevant sections of the references. 
	Subrahmanyam teaches in Fig. 2 and [0010], [0055], [0058] and [0059], wherein an unstructured event parser operates as follows: For each token produced by a tokenizer, the probabilistic mapper calculates the probability of the token mapping to each field in the structured event schema. The calculation uses field mapping statistics. The results are ordered by descending probability and if the maximum probability falls below a threshold, then the mapper decides not to map the token to any field. Otherwise, the calculated fields are ordered by descending probability, and the token is mapped to the most likely field. Each entry in the field mapping statistics represents only one occurrence of a token with the unique specified value and feature being mapped to the specified field. In another embodiment, identical entries are aggregated, and the number of aggregated entries is stored. The field mapping statistics used by the probabilistic mapper to calculate the field mapping probabilities mentioned above are collected by a trainer that compares tokenized logs/events with their correctly parsed field values. For each field, the trainer adds a corresponding entry to the table or increments an existing aggregate entry, thereby counting the number of times it has seen a particular feature. This process is shown in FIG. 2. For each token produced by the tokenizer, the probabilistic mapper calculates the probability of the token mapping to each field in the structured event schema. The calculation uses the field mapping statistics 190.
	Regarding independent claim 39 and 44, Applicant has not overcome the rejections. See arguments regarding same subject matter above.
	Regarding dependent claims 21-38, 40-33, 45-49 and 52, Applicant has not overcome the rejections and they remain similarly rejected.
	Applicant is requested to review the teachings of the references and communicate any issues on the merits to examiner.  Applicant is further reminded that Examiner cites particular paragraphs and line numbers in the references as applied to the claims for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in its entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.
Claim Rejections - 35 USC § 103
3.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

4.	Claims 1-19 and 50-51 are cancelled. Claims 20-49 and 52 are being rejected under 35 U.S.C. 103 as being unpatentable over Millsap et al. (US 2010/0100562 A1) in view of Baker et al. (US 2009/0319512) and further in view of Subrahmanyam (US 2011/0066585 A1).

Regarding claim 20, Millsap discloses “A computer-implemented method, comprising: causing display of one or more field names corresponding to a set of fields associated with a set of field-searchable events,” (See Fig. 5 and 7, abstract, [0014] and [0042]) (The method comprises retrieving dimensions from a database, retrieving metrics from said database, retrieving dates from said database, creating user selectable menus, dynamically generating a query based on user selections in said user selectable menus, receiving the results of said query, and dynamically generating a chart from said results. The user can set a time period for analysis. Drill down and drill across features allow a user to navigate from one dimension set or database to another. This allows a user to instantly compare and contrast related or more detailed charts or reports.)

“and causing display of a graphical control for selecting a filter function, wherein the filter function corresponds to the first field present in the set of fields.” (See Fig. 3a, Fig. 5 and Fig. 7, [0042], [0047] and [0048]) (Chart 702 shows the total number of calls abandoned at the call centers in 15 cities, which may be calculated using a mathematical function. Menu 514 is used to set the ranking method, and determines whether the report displays results that have the most, or the least, of a given metric. Menu 516 sets the number of results to return in a report. By using menus 514 and 516 together the user can specify how many records a report should contain, and whether those records should be drawn from the top or bottom of the range. It should be noted that the search results are generated by performing an SQL query for given criteria which inherently filters results from identified tables which match a specific filter requirement.)

But, Millsap does not explicitly disclose “each event in the set of field-searchable events including a portion of raw machine data associated with a timestamp, the portion of raw machine data reflecting activity in an information technology environment and being produced by a component of the information technology environment;” 

However, Subrahmanyam teaches “each event in the set of field-searchable events including a portion of raw machine data associated with a timestamp, the portion of raw machine data reflecting activity in an information technology environment and being produced by a component of the information technology environment;” (See Fig. 8 and [0023]) (FIG. 8 is a screenshot of a graphical user interface for generating a parameter file to be used with a parameterized normalized event generator to generate a normalized event based on an unstructured event.)

But, Millsap does not explicitly disclose “and wherein the filter function is automatically selected based on the relevance score associated with the first field.” 

However, Baker teaches “and wherein the filter function is automatically selected based on the relevance score associated with the first field.” (See Abstract and [006], [0040] (A computing device that filters online content to be delivered to an individual. The PKP or PIP can be used to filter further content that is provided to the user. The content analyzer module 270 automatically converts the content of the web page to structured data, analyzes the data with respect to the information in the PKP module 230, and provides the individual with a score indicating the relevance of the content to the interest collection. See FIG. 7, wherein in some embodiments, this analysis can be done almost instantaneously so that the individual can almost immediately see the relevance of page before reading it. This relevancy determination can be based on one or more of pattern recognition that accounts for the entire two-dimensional layout of the data including text and graphics, or a contextual analysis. The indications can be visual, such as a fuel gauge, a numeric number range (e.g., 1-10 or 1-5), a number of stars, or even an audible indication such as a number of beeps depending on relevancy. In some embodiments, the content analyzer module 270 can also provide an indication as to which interest collection the page is most relevant. In alternative embodiments, the content analyzer 270 can be programmed to pre-fetch links and analyze the content located through those links so that a relevancy score can be provided if the individual access those links. As shown in FIG. 23, the interest collection control panel 950 also includes a filter box 954 into which the individual can input terms. The filter module 1016 is programmed to filter the content and identify content that may be relevant to the individual. )

But, Millsap does not explicitly disclose “and each field in the set of fields is defined by an extraction rule that is applied to extract a value from the portion of raw machine data included in each event in the set of field-searchable events:”

However, Subrahmanyam teaches “and each field in the set of fields is defined by an extraction rule that is applied to extract a value from the portion of raw machine data included in each event in the set of field-searchable events:” (See [0013]-[0015]) (The parameter file creator receives an unstructured event, determines a regular expression that extracts token values from the unstructured event, determines mappings from the extracted tokens to the fields of a schema, receives user input that customizes the regular expression and/or the mappings, and outputs a parameter file. That parameter file can then be used with a parameterized normalized event generator to generate a normalized event based on an unstructured event. This parameter file creator uses the probabilistic mapper. The appropriate regex is appended to the regex within the parameter file. (Since the token value is to be extracted, and not merely matched, the appropriate regex is surrounded by parentheses before appending it to the regex within the parameter file.) Suggested field mappings for that token are stored. If the token should be treated as a literal, then the Value of the token is appended to the regex within the parameter file. After all of the tokens have been processed, the user is presented with a "suggested parse" that reflects a) the regular expression in the current parameter file and b) the stored suggested field mappings. At that point, the user can modify the suggested parse by selecting, from among the stored suggested field mappings, one field mapping for each token that was treated as a variable. The user can also modify the regex that was automatically generated. For example, the user can change a literal to a variable or vice versa. The modified regex can then be applied to the unstructured event in order to extract token values and determine field mappings. After the user is satisfied, the selected token mappings are added to the parameter file.) 

But, Millsap does not explicitly disclose “calculating a relevance score associated with a first field present in the set of fields based on at least one of a number of unique values of the first field or a number of events included in the set of field-searchable events that include the first field;”

However, Subrahmanyam teaches “calculating a relevance score associated with a first field present in the set of fields based on at least one of a number of unique values of the first field or a number of events included in the set of field-searchable events that include the first field;” (See Fig. 2 and [0010], [0055], [0058] and [0059]) (An unstructured event parser operates as follows: For each token produced by a tokenizer, the probabilistic mapper calculates the probability of the token mapping to each field in the structured event schema. The calculation uses field mapping statistics. The results are ordered by descending probability. If the maximum probability falls below a threshold, then the probabilistic mapper decides not to map the token to any field. Otherwise, the calculated fields are ordered by descending probability, and the token is mapped to the most likely field. Each entry in the field mapping statistics represents only one occurrence of a token (with the specified feature and value) being mapped to the specified field. In another embodiment, identical entries are aggregated, and the number of aggregated entries is stored. The field mapping statistics 190 used by the probabilistic mapper 150 to calculate the field mapping probabilities mentioned above are collected by a "trainer" that compares tokenized logs/events with their correctly parsed field values. For each field, the trainer adds a corresponding entry to the table (or increments an existing aggregate entry, thereby counting the number of times it has seen a particular feature). This process is shown in FIG. 2. For each token produced by the tokenizer 140, the probabilistic mapper 150 calculates the probability of the token mapping to each field in the structured event schema. The calculation uses the field mapping statistics 190.)

It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to combine Millsap (Method and system for dynamically creating reports or charts from records retrieved from a database or databases.) with Baker (Aggregator, Filter and Delivery System) and Subrahmanyam (Extracting information from unstructured data), in order to effectively analyze and use for reporting, correlation, etc., in a normalized structured format or schema. See Subrahmanyam, [006]. 

One having ordinary skill would also be motivated to combine Millsap and Subrahmanyam, in view of the suggestions provided by Subrahmanyam in paragraphs [008] and Fig. 1, which suggests, “analyzing an event that is in unstructured form and generating an event that is in structured form. The system is able to generate a structured/normalized event based on an unstructured event. The structured event is generated automatically, without manual input or interaction.” 

Regarding claim 21, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, further comprising:  extracting a set of field values from a plurality of occurrences of the first field in the raw machine data based on one or more extraction rules associated with the first field, wherein the one or more extraction rules are used to identify occurrences of the first field in the raw machine data; receiving, via the graphical control, a selection of the filter function; and in response to receiving the selection of the filter function, filtering the set of field values in the raw machine data corresponding to the first field.”(See Subrahmanyam: Fig. 8 and [0105]) (Fig. 8 displays field-searchable events, which are also filter functions.)

Regarding claim 22, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, further comprising: extracting a set of field values from a plurality of occurrences of the first field in the raw machine data based on one or more extraction rules associated with the first field, wherein the one or more extraction rules are used to identify occurrences of the first field in the raw machine data;  receiving, via the graphical control, a selection of the filter function; in response to receiving the selection of the filter function, filtering the set of field values in the raw machine data corresponding to the first field to provide a filtered set of field values; and causing display of a graphical visualization of the filtered set of field values.” (See Leonard [0029], [0039]-[0042]) (The unstructured data can be interactively queried or subset using hierarchical queries, graphical queries, filtering queries, or manual selection. The time series data is analyzed for patterns by rules based on fields in the data. The identified similar portion of the structured hierarchical data may be extracted, and the time series analysis function operates on the extracted similar portion. FIG. 7 is a block diagram depicting a wizard implementation of a data structuring GUI. FIGS. 13-19 depict example graphical interfaces for viewing and interacting with unstructured time stamped data, structured time series data, and analysis results.)

Regarding claim 23, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, further comprising: causing display of a second graphical control for selecting the first field from a plurality of fields included in the raw machine data; and receiving, via the second graphical control, a selection of the first field.” (See Subrahmanyam: [0106]) (The second section of the GUI 800, which is just underneath the first section, is labeled "Regex" and displays a regular expression.)

Regarding claim 24, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, wherein the filter function is made selectable via the graphical control based on the first field being present in the set of fields.” (See Fig. 3a, Fig. 5 and Fig. 7, [0042], [0047] and [0048]) (Chart 702 shows the total number of calls abandoned at the call centers in 15 cities, which may be calculated using a mathematical function. Menu 514 is used to set the ranking method, and determines whether the report displays results that have the most, or the least, of a given metric. Menu 516 sets the number of results to return in a report. By using menus 514 and 516 together the user can specify how many records a report should contain, and whether those records should be drawn from the top or bottom of the range. It should be noted that the search results are generated by performing an SQL query for given criteria which inherently filters results from identified tables which match a specific filter requirement.)

Regarding claim 25, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, further comprising: causing display of a second graphical control for selecting the first field from a plurality of fields present in the raw machine data; and receiving, via the second graphical control, a selection of the first field, wherein the filter function is made selectable via the graphical control based on the first field being selected via the second graphical control.” (See Fig. 3a, Fig. 5 and Fig. 7, [0042], [0047] and [0048]) (Chart 702 shows the total number of calls abandoned at the call centers in 15 cities, which may be calculated using a mathematical function. Menu 514 is used to set the ranking method, and determines whether the report displays results that have the most, or the least, of a given metric. Menu 516 sets the number of results to return in a report. By using menus 514 and 516 together the user can specify how many records a report should contain, and whether those records should be drawn from the top or bottom of the range. It should be noted that the search results are generated by performing an SQL query for given criteria which inherently filters results from identified tables which match a specific filter requirement.)

Regarding claim 26, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, wherein the graphical control displays a plurality of filter functions that correspond to the first field.” (See Fig. 5 and Fig. 7)

Regarding claim 27, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, wherein the graphical control displays a plurality of filter functions that correspond to a graphical visualization in which a representation of the first field is displayed.” (See Fig. 5 and Fig. 7)

Regarding claim 28, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, further comprising receiving, via a second graphical control, a selection of a graphical visualization for displaying a representation of the first field, wherein the graphical control displays a plurality of filter functions that correspond to the graphical visualization.” (See Fig. 5 and Fig. 7)

Regarding claim 29, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, wherein the filter function is applied to a set of field values from two or more fields extracted from the set of field-searchable events.” (See Fig. 5 and Fig. 7)

Regarding claim 30, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, wherein the filter function identifies a subset of the set of field-searchable events.”  (See Fig. 5 and Fig. 7)

Regarding claim 31, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, wherein the graphical control comprises a plurality of filter functions, and each of the plurality of filter functions corresponds to a field present in the set of fields.” (See Fig. 5 and Fig. 7)

Regarding claim 32, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, further comprising: receiving, via the graphical control, a selection of the filter function; in response to receiving the selection of the filter function, filtering the set of field values in the raw machine data corresponding to the first field; and causing a calculation on the set of field values.” (See [0013]) (Another feature of an embodiment of the invention is a calculations function incorporated into the dashboard. This function allows the user to perform calculations on the records making up a chart or report. Some possible calculations include determining an average value of the records, performing regression analysis, or determining a mean value. However, nearly any mathematical function that can be expressed.)

Regarding claim 33, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, further comprising causing display of a second graphical control for selecting an aggregate function that is applied to the set of field values.” (See [0013]) (Another feature of an embodiment of the invention is a calculations function incorporated into the dashboard. This function allows the user to perform calculations on the records making up a chart or report. Some possible calculations include determining an average value of the records, performing regression analysis, or determining a mean value. However, nearly any mathematical function that can be expressed.)

Regarding claim 34, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, wherein the filter function comprises a time filter.” (See [0042]) (Menu 508 dynamically lists all of the metrics that are present in the database. Each metric in menu 508 is a type of numerical entry in the database that can be compared across fields or databases for analysis. Menus 510 and 512 dynamically list all of the date entries present in the database. The user can set a time period for analysis by setting menu 510 to a beginning date and menu 512 to an ending date.

Regarding claim 35, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, wherein the filter function comprises a match filter.” (See [0042]) (Menu 508 dynamically lists all of the metrics that are present in the database. Each metric in menu 508 is a type of numerical entry in the database that can be compared across fields or databases for analysis. Menus 510 and 512 dynamically list all of the date entries present in the database. The user can set a time period for analysis by setting menu 510 to a beginning date and menu 512 to an ending date. Menu 514 is used to set the ranking method, and determines whether the report displays results that have the most, or the least, of a given metric. Menu 516 sets the number of results to return in a report. By using menus 514 and 516 together the user can specify how many records a report should contain, and whether those records should be drawn from the top or bottom of the range.)

Regarding claim 36, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, wherein the filter function comprises a match filter that includes two or more filter rules to apply to the set of field values in the raw machine data corresponding to the first field.” (See [0042]) (Menu 508 dynamically lists all of the metrics that are present in the database. Each metric in menu 508 is a type of numerical entry in the database that can be compared across fields or databases for analysis. Menus 510 and 512 dynamically list all of the date entries present in the database. The user can set a time period for analysis by setting menu 510 to a beginning date and menu 512 to an ending date. Menu 514 is used to set the ranking method, and determines whether the report displays results that have the most, or the least, of a given metric. Menu 516 sets the number of results to return in a report. By using menus 514 and 516 together the user can specify how many records a report should contain, and whether those records should be drawn from the top or bottom of the range.

Regarding claim 37, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, wherein the filter function comprises a limit filter.” (See [0042]) (Menu 508 dynamically lists all of the metrics that are present in the database.” Each metric in menu 508 is a type of numerical entry in the database that can be compared across fields or databases for analysis. Menus 510 and 512 dynamically list all of the date entries present in the database. The user can set a time period for analysis by setting menu 510 to a beginning date and menu 512 to an ending date.)

Regarding claim 38, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, wherein the filter function comprises a limit filter that includes a statistics function that is applied to the set of field values in the raw machine data corresponding to the first field.” (See [0013]) (Another feature of an embodiment of the invention is a calculations function incorporated into the dashboard. This function allows the user to perform calculations on the records making up a chart or report. Some possible calculations include determining an average value of the records, performing regression analysis, or determining a mean value. However, nearly any mathematical function that can be expressed.)

As per claim 39, this claim is rejected based on rationale given above for rejected claim 20 and is similarly rejected, including “A system, comprising: a memory storing instructions; and a processor coupled to the memory, wherein, when executed by the processor, the instructions configures the processor” (See [0021]) (FIG. 4 illustrates a block diagram of an exemplary system in accordance with the present invention.)

As per claim 40, this claim is rejected based on rationale given above for rejected claim 21 and is similarly rejected.
As per claim 41, this claim is rejected based on rationale given above for rejected claim 22 and is similarly rejected.

As per claim 42, this claim is rejected based on rationale given above for rejected claim 23 and is similarly rejected.

As per claim 43, this claim is rejected based on rationale given above for rejected claim 29 and is similarly rejected.

As per claim 44, this claim is rejected based on rationale given above for rejected claim 20 and is similarly rejected, including “A non-transitory computer-readable storage medium including instructions that, when executed by a processor, cause the processor to perform the steps of:” (See [0021]) (FIG. 4 illustrates a block diagram of an exemplary system in accordance with the present invention.)
As per claim 45, this claim is rejected based on rationale given above for rejected claim 21 and is similarly rejected.

As per claim 46, this claim is rejected based on rationale given above for rejected claim 22 and is similarly rejected.

As per claim 47, this claim is rejected based on rationale given above for rejected claim 23 and is similarly rejected.

As per claim 48, this claim is rejected based on rationale given above for rejected claim 29 and is similarly rejected.

As per claim 49, this claim is rejected based on rationale given above for rejected claim 30 and is similarly rejected.
	Regarding claim 52, Millsap in view of Baker and further in view of Subrahmanyam discloses “The method of claim 20, further comprising: determining that the relevance score associated with the first field satisfies a threshold condition; adding the field to a set of selected fields; and causing display of a graphical interface that displays the set of selected fields.” (See Subrahmanyam: Fig. 2 and [0010], [0055], [0058] and [0059]) (An unstructured event parser operates as follows: For each token produced by a tokenizer, the probabilistic mapper calculates the probability of the token mapping to each field in the structured event schema. The calculation uses field mapping statistics. The results are ordered by descending probability. If the maximum probability falls below a threshold, then the probabilistic mapper decides not to map the token to any field. Otherwise, the calculated fields are ordered by descending probability, and the token is mapped to the most likely field. Each entry in the field mapping statistics represents only one occurrence of a token (with the specified feature and value) being mapped to the specified field. In another embodiment, identical entries are aggregated, and the number of aggregated entries is stored. The field mapping statistics 190 used by the probabilistic mapper 150 to calculate the field mapping probabilities mentioned above are collected by a "trainer" that compares tokenized logs/events with their correctly parsed field values. For each field, the trainer adds a corresponding entry to the table (or increments an existing aggregate entry, thereby counting the number of times it has seen a particular feature). This process is shown in FIG. 2. For each token produced by the tokenizer 140, the probabilistic mapper 150 calculates the probability of the token mapping to each field in the structured event schema. The calculation uses the field mapping statistics 190.)







Conclusion
THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
    PNG
    media_image1.png
    18
    19
    media_image1.png
    Greyscale

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRACY M MCGHEE whose telephone number is (313)446-6581.  The examiner can normally be reached on 9am-5pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hosain Alam can be reached on 571-272-3978.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Tracy McGhee/
Patent Examiner
Art Unit 2154
/HOSAIN T ALAM/Supervisory Patent Examiner, Art Unit 2154