DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
This application is a continuation of US Application No 14/610,408 filed 30 January 2015 now US Patent No 10360196 which is a CIP of US Application 14/253,713 filed 15 April 2014 now US Patent No 10127273 which is a CIP of US Application 14/528,898 filed 30 October 2014 now US Patent No 9838512.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 26 March 2021; 17 September 2020; 26 March 2020; and 10 June 2019 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-5, 8-14 and 17-30 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by US PGPub 2012/0131139 to Siripurapu et al (hereafter Siripurapu).

Referring to claim 1, Siripurapu discloses a computer-implemented method, comprising:
causing display of a graphical user interface (GUI) including interface elements used to define an event stream to be generated by one or more remote capture agents [worker nodes] from monitored network data, wherein the event stream is associated with a plurality of event stream attributes derived from the network data [data from social data] (see [0059]; [0063]; [0095]-[0097] and [0464]-[0466] – Event creator 126 is configured to provide to event classifier 128 a set of event definitions. The event definitions can be created by a human through an interface.); 
receiving input identifying (see [0095]-[0097]; [0177]; and [0179]):
at least one first event stream attribute of the plurality of event stream attributes as a key attribute [keys], wherein the at least one first event stream attribute is used to generate a respective key representing each event of the event stream (see [0177] and [0179]), and
at least one second event stream attribute of the plurality of event stream attributes as an aggregation attribute, wherein the at least one second event stream attribute is used to generate a respective aggregated value for each event of the event stream (see [0178]-[0179] – The attribute-value pairs used to group the events); and 
transmitting, via a network, configuration information generated based on the received input to the one or more remote capture agents [mapper/worker is invoked with an Event], the configuration information used by the one or more remote capture agents to generate the event stream [it publishes new Events], wherein each event of the event stream includes a key based on the at least one first event stream attribute and an aggregated value based on the second event stream attribute (see [0177]-[0184]).
Referring to claim 2, Siripurapu discloses the method of claim 1, further comprising receiving, via the GUI, input enabling inclusion of aggregated values in the event stream (see [0178]-[0179] – The attribute-value pairs used to group the events).
Referring to claim 3, Siripurapu discloses the method of claim 1, wherein an aggregated event of the event stream is generated based on data included in a plurality of packets of the network data (see [0177] and [0596]).
Referring to claim 4, Siripurapu discloses the method of claim 1, wherein the at least one first event stream attribute is derived from a field of network packets included in the network data (see [0177] - the attributes depend on the kind of Event).
Referring to claim 5, Siripurapu discloses the method of claim 1, wherein the aggregated value includes a summation of values included in a plurality of packets of the network data (see [0121]; [0249]; [0265]; and [0563]).
Referring to claim 8, Siripurapu discloses the method of claim 1, wherein the event stream is an ephemeral event stream that is generated for a defined period of time (see [0106] – start and end time of the event can be specified).
Referring to claim 9, Siripurapu discloses the method of claim 1, wherein the input further specifies an aggregation interval, the aggregation interval indicating an amount of time to collect network packets used to generate each individual event of the event stream (see [0106] – start and end time of the event can be specified).
Referring to claim 10, Siripurapu discloses the method of claim 1, wherein the input identifies a plurality of first event stream attributes as key attributes, and wherein a key for each event of the event stream is generated based on a combination of the plurality of first event stream attributes (see [0177] and [0179]).
Referring to claim 11, Siripurapu discloses the method of claim 1, wherein the input identifies a plurality of second event stream attributes as aggregation attributes, and wherein each event of the event stream includes a plurality of aggregated values based on the plurality of second event stream attributes (see [0178]-[0179] – The attribute-value pairs used to group the events).
Referring to claim 12, Siripurapu discloses the method of claim 1, wherein the GUI includes user interface elements used to manage the event stream, the user interface elements including at least one of: an interface element used to clone a new event stream from an existing event stream, an interface element used to create a new event stream (see [0095]-[0097] – Event creator 126 is configured to provide to event classifier 128 a set of event definitions. The event definitions can be created by a human through an interface.), an interface element used to delete the event stream, an interface element used to enable the event stream, an interface element used to disable the event stream, or an interface element used to modify an end time of the event stream.
Referring to claim 13, Siripurapu discloses the method of claim 1, wherein the event stream includes timestamped event data (see [0177] and [0377]).
Referring to claim 14, Siripurapu discloses the method of claim 1, further comprising receiving input specifying at least one filter used to filter network packets from which the event stream is generated (see [0177] and [0179]).
Referring to claim 17, Siripurapu discloses method of claim 1, wherein the event stream is an ephemeral event stream (see [0106] – start and end time of the event can be specified), and wherein the method further comprises causing display, in a second GUI, of at least one user interface element used to manage the ephemeral event stream, wherein managing the ephemeral event stream comprises at least one of: modifying an end time for terminating capture of timestamped event data in the ephemeral event stream, disabling the ephemeral event stream, or deleting the ephemeral event stream (see [0121]; [0249]; [0265]; [0563]; and [0561]).
Referring to claim 18, Siripurapu discloses method of claim 1, further comprising causing display, in a second GUI, of a metric associated with timestamped event data in the event stream (see [0135] and Figs 5-7).
Referring to claim 19, Siripurapu discloses the method of claim 1, further comprising causing display of a GUI including a representation of a plurality of event streams including the event stream (see [0135] and Figs 5-7).
Referring to claim 20, Siripurapu discloses the method of claim 1, further comprising input defining a second event stream to be generated from the same monitored network data (see [0059]; [0063]; [0095]-[0097] and [0464]-[0466]).
Referring to claim 21, Siripurapu discloses an apparatus, comprising:
one or more hardware processors (see [0057]); and
memory storing instructions that, when executed by the one or more hardware processors (see [0057]), cause the apparatus to:
cause display of a graphical user interface (GUI) including interface elements used to define an event stream to be generated by one or more remote capture agents [worker nodes] from monitored network data, wherein the event stream is associated with a plurality of event stream attributes derived from the network data [data from social data] (see [0059]; [0063]; [0095]-[0097] and [0464]-[0466] – Event creator 126 is configured to provide to event classifier 128 a set of event definitions. The event definitions can be created by a human through an interface.); 
receive input identifying (see [0095]-[0097]; [0177]; and [0179]):
at least one first event stream attribute of the plurality of event stream attributes as a key attribute [keys], wherein the at least one first event stream attribute is used to generate a respective key representing each event of the event stream (see [0177] and [0179]), and
at least one second event stream attribute of the plurality of event stream attributes as an aggregation attribute, wherein the at least one second event stream attribute is used to generate a respective aggregated value for each event of the event stream (see [0178]-[0179] – The attribute-value pairs used to group the events); and 
transmit, via a network, configuration information generated based on the received input to the one or more remote capture agents [mapper/worker is , the configuration information used by the one or more remote capture agents to generate the event stream [it publishes new Events], wherein each event of the event stream includes a key based on the at least one first event stream attribute and an aggregated value based on the second event stream attribute (see [0177]-[0184]).
Referring to claim 22, Siripurapu discloses the apparatus of claim 21, wherein the instructions, when executed by the one or more hardware processors, further cause the apparatus to: receive, via the GUI, input enabling inclusion of aggregated values in the event stream (see [0178]-[0179] – The attribute-value pairs used to group the events).
Referring to claim 23, Siripurapu discloses the apparatus of claim 21, wherein an aggregated event of the event stream is generated based on data included in a plurality of packets of the network data (see [0177] and [0596]).
Referring to claim 24, Siripurapu discloses the apparatus of claim 21, wherein the at least one first event stream attribute is derived from a field of network packets included in the network data (see [0177] - the attributes depend on the kind of Event).
Referring to claim 25, Siripurapu discloses the apparatus of claim 21, wherein the aggregated value includes a summation of values included in a plurality of packets of the network data.
Referring to claim 26, Siripurapu discloses a non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform operations (see [0057]) comprising:
causing display of a graphical user interface (GUI) including interface elements used to define an event stream to be generated by one or more remote capture agents [worker nodes] from monitored network data, wherein the event stream is associated with a plurality of event stream attributes derived from the network data [data from social data] (see [0059]; [0063]; [0095]-[0097] and [0464]-[0466] – Event creator 126 is configured to provide to event classifier 128 a set of event definitions. The event definitions can be created by a human through an interface.); 
receiving input identifying (see [0095]-[0097]; [0177]; and [0179]):
at least one first event stream attribute of the plurality of event stream attributes as a key attribute [keys], wherein the at least one first event stream attribute is used to generate a respective key representing each event of the event stream (see [0177] and [0179]), and
at least one second event stream attribute of the plurality of event stream attributes as an aggregation attribute, wherein the at least one second event stream attribute is used to generate a respective aggregated value for each event of the event stream (see [0178]-[0179] – The attribute-value pairs used to group the events); and 
transmitting, via a network, configuration information generated based on the received input to the one or more remote capture agents [mapper/worker is invoked with an Event], the configuration information used by the one or more remote capture agents to generate the event stream [it publishes new Events], wherein each event of the event stream includes a key based on the at least one first event stream attribute and an aggregated value based on the second event stream attribute (see [0177]-[0184]).
Referring to claim 27, Siripurapu discloses the non-transitory computer-readable storage medium of claim 26, wherein the instructions, when executed by the computer, further cause the computer to perform operations comprising: receiving, via the GUI, input enabling inclusion of aggregated values in the event stream (see [0178]-[0179] – The attribute-value pairs used to group the events).
Referring to claim 28, Siripurapu discloses the non-transitory computer-readable storage medium of claim 26, wherein an aggregated event of the event stream is generated based on data included in a plurality of packets of the network data (see [0177] and [0596]).
Referring to claim 29, Siripurapu discloses the non-transitory computer-readable storage medium of claim 26, wherein the at least one first event stream attribute is derived from a field of network packets included in the network data (see [0177] - the attributes depend on the kind of Event).
Referring to claim 30, Siripurapu discloses the non-transitory computer-readable storage medium of claim 26, wherein the aggregated value includes a summation of values included in a plurality of packets of the network data (see [0121]; [0249]; [0265]; and [0563]).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over by US PGPub 2012/0131139 to Siripurapu et al in view of US Patent No 7,107,335 to Arcieri et al (hereafter Arcieri).
Referring to claim 6, Siripurapu fails to explicitly disclose the further limitation of wherein the event stream is based on a protocol used by the network data, and wherein the protocol is one of: a transport layer protocol, a session layer protocol, a presentation layer protocol, or an application layer protocol.  Arcieri teaches monitoring and 
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to utilize the different types of transmission protocols taught by Arcieri as the transmission protocols of Siripurapu.  One would have been motivated to do so since these are merely specific types of protocols used during transmission and Siripurapu teaches the concept of transmission.

Claim 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over by US PGPub 2012/0131139 to Siripurapu et al in view of US PGPub 2013/0182700 to Figura et al (hereafter Figura).
Referring to claim 7, Siripurapu fails to explicitly teach the further limitation of wherein the aggregated value included in an event of the event stream is generated by performing an operation on data included in a plurality of network packets of the network data, wherein the operation includes at least one of: a minimum, a maximum, an average, or a standard deviation.  Figura teaches event stream generation, including the further limitation of wherein the aggregated value included in an event of the event stream is generated by performing an operation on data included in a plurality of network packets of the network data, wherein the operation includes at least one of: 
	It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to utilize the specific types of aggregation methods taught by Figura to aggregate the data of Siripurapu.  One would have been motivated to do so since these are just specific types of aggregation methods. 

Claims 15 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over by US PGPub 2012/0131139 to Siripurapu et al in view of US PGPub 2015/0213631 to Vander Broek (hereafter Vander).
Referring to claim 15, Siripurapu fails to explicitly teach the further limitation of further comprising causing display of a second GUI including a user-interface element used to perform a search of the plurality of event streams.  Vander teaches the creation of event streams, including the further limitation of causing display of a second GUI including a user-interface element used to perform a search of the plurality of event streams (see [0053]).
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to search the event data of Siripurapu in the manner taught by Vander.  One would have been motivated to do so in order to accurately analyze large amounts of data and to gain helpful information from the data (Vander: see [0003] and [0004]).
Referring to claim 16, Siripurapu fails to explicitly teach the further limitation of wherein events in the plurality of event streams are searchable by a late-binding schema.  Vander teaches the creation of event streams, including the further limitation of wherein events in the plurality of event streams are searchable by a late-binding schema (see [0053]).
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to search the event data of Siripurapu in the manner taught by Vander.  One would have been motivated to do so in order to accurately analyze large amounts of data and to gain helpful information from the data (Vander: see [0003] and [0004]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US PGPub 2011/0320586 to Maltz et al

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KIMBERLY LOVEL WILSON whose telephone number is (571)272-2750.  The examiner can normally be reached on 8-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Robert Beausoliel can be reached on 571-272-3645.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KIMBERLY L WILSON/Primary Examiner, Art Unit 2167