DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
This application is a continuation of Application 14/253,713 filed 15 April 2014, now US Patent No 10127273.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 26 March 2021; 17 September 2020; 26 March 2020; 26 June 2019; 15 March 2019; 17 December 2018; and 5 October 2018 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 31-60 is/are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No 8,046,833 to Gustafson et al (hereafter Gustafson) in view of US PGPub 2012/0109985 to Chandrasekaran (hereafter Chandrasekaran).

Referring to claim 31, Gustafson discloses a computer-implemented method performed by a remote capture agent coupled to a network (see column 4, lines 29-33), the method comprising:
monitoring network traffic comprising a plurality of network packets (see column 4, lines 54-57 – security devices, network reporting mechanisms can examine packets moving across a network in real-time);
generating event data based on the plurality of network packets (see column 4, lines 1-17; column 4, lines 29-33; and column 6, lines 43-46);
querying a data source [network map] using at least one first value [IP address] contained in a network packet of the plurality of network packets to obtain a related second value [host or network device information] (see column 6, lines 35-67 – In step 630, the new event that is associated with an identified IP address ; and
transforming the event data at least in part by including the related second value in the event data (see column 6, lines 1-9 – In step 130, the identity of the network device is recorded. The identity is stored as a data structure.).
Gustafson fails to explicitly disclose the further limitation of the events having a timestamp.  Chandrasekaran teaches the generation of events including the limitation wherein the events are timestamped (see [0057]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have the events of Gustafson timestamped in the manner taught by Chandrasekaran.  One would have been motivated to do so since Gustafson discusses events that occur at different times and having the events timestamped allows for data to be accessed and analyzed using the points in time (Chandrasekaran: see [0008]).
Referring to claim 32, the combination of Gustafson and Chandrasekaran (hereafter Gustafson/Chandrasekaran) teaches the computer-implemented method of claim 31, wherein the data source includes data related to one or more client devices [network device] coupled to the network (Gustafson: see column 4, lines 54-59 and column 5, lines 65-67).
Referring to claim 33, Gustafson/Chandrasekaran teaches the computer-implemented method of claim 31, wherein the first value contained in the network packet is an Internet Protocol (IP) address associated with a client device coupled to the network (Gustafson: see column 6, lines 35-67 – In step 630, the new event that is associated with an identified IP address is reported to the network map. The network map is accessed using the identified IP address associated with the intrusion event to determine if event information matches certain criteria. The IP address is used to link to the host or other network device information in the network map.).
Referring to claim 34, Gustafson/Chandrasekaran teaches computer-implemented method of claim 31, the method further comprising storing in a data store at least one of: the timestamped event data and the transformed timestamped event data (Gustafson: see column 6, lines 2-3).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have the events of Gustafson timestamped in the manner taught by Chandrasekaran.  One would have been motivated to do so since Gustafson discusses events that occur at different times and having the events timestamped allows for data to be accessed and analyzed using the points in time (Chandrasekaran: see [0008]).
Referring to claim 35, Gustafson/Chandrasekaran teaches the computer-implemented method of claim 31, wherein the related second value includes one or more of: a name of a client device, a user identifier associated with the client device (Gustafson: see column 6, lines 1-2 and lines 35-67 – identity of the network device).
Referring to claim 36, Gustafson/Chandrasekaran teaches the computer-implemented method of claim 31, wherein the data source is a first data source, and wherein the method further comprises:
using the related second value to query a second data source to obtain a related third value (Gustafson: see column 4, lines 66-column 5, line 11 and column 5, line 63 – column 6, line 9); and
transforming the timestamped event data at least in part by including the related third value in the timestamped event data (Gustafson: see column 4, lines 66-column 5, line 11 and column 5, line 63 – column 6, line 9).
Referring to claim 37, Gustafson/Chandrasekaran teaches computer-implemented method of claim 31, the method further comprising enabling querying of the transformed timestamped event data (Chandrasekaran: see [0011]; [0021]; [0047]; and [0086]), wherein enabling querying of the transformed timestamped event data comprises:
indexing the transformed timestamped event data [particular events may be indexed] (Chandrasekaran: see [0086]); and
executing queries on the indexed transformed timestamped event data (Chandrasekaran: see [0011]; [0021]; and [0047]).
Referring to claim 38, Gustafson/Chandrasekaran teaches the computer-implemented method of claim 31, the method further comprising:

executing queries on the indexed transformed timestamped event data, wherein execution of a query is performed on different subsets of the transformed timestamped event data by one or more indexers in parallel (Chandrasekaran: see [0011]; [0021]; [0047]; [0132]; and [0137]).
Referring to claim 39, Gustafson/Chandrasekaran teaches the computer-implemented method of claim 31, wherein transforming the timestamped event data further includes at least one of: an aggregation, a calculation, a filter, a normalization, and a formatting (Chandrasekaran: see [0023] - filters).
Referring to claim 40, Gustafson/Chandrasekaran teaches computer-implemented method of claim 31, the method further comprising transmitting the transformed timestamped event data over the network to a set of indexers, wherein the set of indexers are used to process queries using a late-binding schema of the transformed timestamped event data (Chandrasekaran: see [0057] and [0086]).
Referring to claim 41, Gustafson discloses a system used to improve processing of network data collected by a plurality of remote capture agents distributed across a network (see column 4, lines 29-33), comprising:
a remote capture agent implemented by a first computing device, the remote capture agent including instructions that upon execution cause the remote capture agent to: (see column 4, lines 29-33)
monitor network traffic comprising a plurality of network packets (see column 4, lines 54-57 – security devices, network reporting mechanisms can examine packets moving across a network in real-time);
generate event data based on the plurality of network packets (see column 4, lines 1-17; column 4, lines 29-33; and column 6, lines 43-46);
	send the timestamped data to a transformation server (see column 4, lines 29-33);
the transformation server implemented by a second computing device (see column 3, lines 52-67), the transformation server including instructions that upon execution cause the transformation server to: 
query a data source [network map] using at least one first value [IP address] contained in a network packet of the plurality of network packets to obtain a related second value [host or network device information] (see column 6, lines 35-67 – In step 630, the new event that is associated with an identified IP address is reported to the network map. The network map is accessed using the identified IP address associated with the intrusion event to determine if event information matches certain criteria. The IP address is used to link to the host or other network device information in the network map.); and
transform the event data at least in part by including the related second value in the event data (see column 6, lines 1-9 – In step 130, the 
Gustafson fails to explicitly disclose the further limitation of the events having a timestamp.  Chandrasekaran teaches the generation of events including the limitation wherein the events are timestamped (see [0057]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have the events of Gustafson timestamped in the manner taught by Chandrasekaran.  One would have been motivated to do so since Gustafson discusses events that occur at different times and having the events timestamped allows for data to be accessed and analyzed using the points in time (Chandrasekaran: see [0008]).
Referring to claim 42, the combination of Gustafson and Chandrasekaran (hereafter Gustafson/Chandrasekaran) teaches the system of claim 41, wherein the data source includes data related to one or more client devices [network device] coupled to the network (Gustafson: see column 4, lines 54-59 and column 5, lines 65-67).
Referring to claim 43, Gustafson/Chandrasekaran teaches the system of claim 41, wherein the first value contained in the network packet is an Internet Protocol (IP) address associated with a client device coupled to the network (Gustafson: see column 6, lines 35-67 – In step 630, the new event that is associated with an identified IP address is reported to the network map. The network map is accessed using the 
Referring to claim 44, Gustafson/Chandrasekaran teaches the system of claim 41, the wherein the system further includes an indexer implemented by a third computing device (see column 3, lines 53-67), the indexer including instructions, upon execution, cause the indexer to store in a data store at least one of: the timestamped event data and the transformed timestamped event data (Gustafson: see column 6, lines 2-3).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have the events of Gustafson timestamped in the manner taught by Chandrasekaran.  One would have been motivated to do so since Gustafson discusses events that occur at different times and having the events timestamped allows for data to be accessed and analyzed using the points in time (Chandrasekaran: see [0008]).
Referring to claim 45, Gustafson/Chandrasekaran teaches the system of claim 41, wherein the related second value includes one or more of: a name of a client device, a user identifier associated with the client device (Gustafson: see column 6, lines 1-2 and lines 35-67 – identity of the network device).
Referring to claim 46, Gustafson/Chandrasekaran teaches the system of claim 41, wherein the data source is a first data source, and wherein the transformation server 
use the related second value to query a second data source to obtain a related third value (Gustafson: see column 4, lines 66-column 5, line 11 and column 5, line 63 – column 6, line 9); and
transform the timestamped event data at least in part by including the related third value in the timestamped event data (Gustafson: see column 4, lines 66-column 5, line 11 and column 5, line 63 – column 6, line 9).
Referring to claim 47, Gustafson/Chandrasekaran teaches the system of claim 41, further comprising an indexer implemented by a third computing device (see column 3, lines 53-67), the indexer including instructions that upon execution cause the indexer to enable querying of the transformed timestamped event data (Chandrasekaran: see [0011]; [0021]; [0047]; and [0086]), wherein enabling querying of the transformed timestamped event data comprises:
indexing the transformed timestamped event data [particular events may be indexed] (Chandrasekaran: see [0086]); and
executing queries on the indexed transformed timestamped event data (Chandrasekaran: see [0011]; [0021]; and [0047]).
Referring to claim 48, Gustafson/Chandrasekaran teaches the system of claim 41, further comprising a plurality of indexers implemented by one or more third 
index the transformed timestamped event data [particular events may be indexed] (Chandrasekaran: see [0086]); and
execute queries on the indexed transformed timestamped event data, wherein execution of a query is performed on different subsets of the transformed timestamped event data by one or more indexers in parallel (Chandrasekaran: see [0011]; [0021]; [0047]; [0132]; and [0137]).
Referring to claim 49, Gustafson/Chandrasekaran teaches the system of claim 41, wherein transforming the timestamped event data further includes at least one of: an aggregation, a calculation, a filter, a normalization, and a formatting (Chandrasekaran: see [0023] - filters).
Referring to claim 50, Gustafson/Chandrasekaran teaches the system of claim 41, further comprising an indexer implemented by a third computing device (see column 3, lines 53-67), the indexer including instructions that upon execution cause the indexer to process queries using a late-binding schema of the transformed timestamped event data (Chandrasekaran: see [0057] and [0086]).
Referring to claim 51, Gustafson discloses a non-transitory computer-readable storage medium storing instructions that, when executed by one or more processors (see column 10, lines 14-26), cause performance of operations comprising:
monitoring network traffic comprising a plurality of network packets (see column 4, lines 54-57 – security devices, network reporting mechanisms can examine packets moving across a network in real-time);
generating event data based on the plurality of network packets (see column 4, lines 1-17; column 4, lines 29-33; and column 6, lines 43-46);
querying a data source [network map] using at least one first value [IP address] contained in a network packet of the plurality of network packets to obtain a related second value [host or network device information] (see column 6, lines 35-67 – In step 630, the new event that is associated with an identified IP address is reported to the network map. The network map is accessed using the identified IP address associated with the intrusion event to determine if event information matches certain criteria. The IP address is used to link to the host or other network device information in the network map.); and
transforming the event data at least in part by including the related second value in the event data (see column 6, lines 1-9 – In step 130, the identity of the network device is recorded. The identity is stored as a data structure.).
Gustafson fails to explicitly disclose the further limitation of the events having a timestamp.  Chandrasekaran teaches the generation of events including the limitation wherein the events are timestamped (see [0057]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have the events of Gustafson timestamped in the manner 
Referring to claim 52, the combination of Gustafson and Chandrasekaran (hereafter Gustafson/Chandrasekaran) teaches the non-transitory computer-readable storage medium of claim 51, wherein the data source includes data related to one or more client devices [network device] coupled to the network (Gustafson: see column 4, lines 54-59 and column 5, lines 65-67).
Referring to claim 53, Gustafson/Chandrasekaran teaches the non-transitory computer-readable storage medium of claim 51, wherein the first value contained in the network packet is an Internet Protocol (IP) address associated with a client device coupled to the network (Gustafson: see column 6, lines 35-67 – In step 630, the new event that is associated with an identified IP address is reported to the network map. The network map is accessed using the identified IP address associated with the intrusion event to determine if event information matches certain criteria. The IP address is used to link to the host or other network device information in the network map.).
Referring to claim 54, Gustafson/Chandrasekaran teaches the non-transitory computer-readable storage medium of claim 51, wherein the instructions, when executed by the one or more processors, further cause performance of operations 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have the events of Gustafson timestamped in the manner taught by Chandrasekaran.  One would have been motivated to do so since Gustafson discusses events that occur at different times and having the events timestamped allows for data to be accessed and analyzed using the points in time (Chandrasekaran: see [0008]).
Referring to claim 55, Gustafson/Chandrasekaran teaches the non-transitory computer-readable storage medium of claim 51, wherein the related second value includes one or more of: a name of a client device, a user identifier associated with the client device (Gustafson: see column 6, lines 1-2 and lines 35-67 – identity of the network device).
Referring to claim 56, Gustafson/Chandrasekaran teaches the non-transitory computer-readable storage medium of claim 51, wherein the data source is a first data source, and wherein the instructions, when executed by the one or more processors, further cause performance of operations comprising:
using the related second value to query a second data source to obtain a related third value (Gustafson: see column 4, lines 66-column 5, line 11 and column 5, line 63 – column 6, line 9); and

Referring to claim 57, Gustafson/Chandrasekaran teaches the non-transitory computer-readable storage medium of claim 51, wherein the instructions, when executed by the one or more processors, further cause performance of operations comprising enabling querying of the transformed timestamped event data (Chandrasekaran: see [0011]; [0021]; [0047]; and [0086]), wherein enabling querying of the transformed timestamped event data comprises:
indexing the transformed timestamped event data [particular events may be indexed] (Chandrasekaran: see [0086]); and
executing queries on the indexed transformed timestamped event data (Chandrasekaran: see [0011]; [0021]; and [0047]).
Referring to claim 58, Gustafson/Chandrasekaran teaches the non-transitory computer-readable storage medium of claim 51, wherein the instructions, when executed by the one or more processors, further cause performance of operations comprising:
indexing the transformed timestamped event data [particular events may be indexed] (Chandrasekaran: see [0086]); and

Referring to claim 59, Gustafson/Chandrasekaran teaches the non-transitory computer-readable storage medium of claim 51, wherein transforming the timestamped event data further includes at least one of: an aggregation, a calculation, a filter, a normalization, and a formatting (Chandrasekaran: see [0023] - filters).
Referring to claim 60, Gustafson/Chandrasekaran teaches the non-transitory computer-readable storage medium of claim 51, wherein the instructions, when executed by the one or more processors, further cause performance of operations comprising transmitting the transformed timestamped event data over the network to a set of indexers, wherein the set of indexers are used to process queries using a late-binding schema of the transformed timestamped event data (Chandrasekaran: see [0057] and [0086]).

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KIMBERLY LOVEL WILSON whose telephone number is (571)272-2750.  The examiner can normally be reached on 8-4:30.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Robert Beausoliel can be reached on 571-272-3645.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/KIMBERLY L WILSON/Primary Examiner, Art Unit 2167