DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-3, 6, 8, 11-14, 19, 27 and 30 are amended.
Claims 1-9, 11-25 and 27-30 are presented for examination.

The claims and only the claims form the metes and bounds of the invention.  “Office personnel are to give claims their broadest reasonable interpretation in light of the supporting disclosure. In re Morris, 127 F.3d 1048, 1054-55, 44 USPQ2d 1023, 1027-28 (Fed. Cir. 1997).  Limitations appearing in the specification but not recited in the claim are not read into the claim.  In re Prater, 415 F.2d 1393, 1404-05, 162 USPQ 541, 550-551 (CCPA 1969)” (MPEP p 2100-8, c 2, I 45-48; p 2100-9, c 1, l 1-4).  The Examiner has full latitude to interpret each claim in the broadest reasonable sense.  The Examiner will reference prior art using terminology familiar to one of ordinary skill in the art.  Such an approach is broad in concept and can be either explicit or implicit in meaning.

Response to Arguments
The reference by Fotsch and the reference by Yeung are no longer relied upon for the rejection of the instant claims.  Applicant’s arguments have been considered but they are moot in view of new grounds of rejection. However, the Examiner welcomes any suggestion(s) Applicants may have on moving prosecution forward. The Examiner’s contact information is in the Conclusion of this office action.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-5, 7, 9, 15-17 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over US PGPUB 2006/0274762 by Pong in view of US PGPUB 2015/0319069 by He et al. (“He”).

As to Claim 1, Pong teaches a method comprising: ingesting, by a data intake and query system, a plurality of metrics including key values (Pong: at least ¶¶0046, 0055; “tuple (lip, lp, fip, fp)” and “elements within ) and measured values (Pong: at least Figs. 2 & 4b, ¶0044; “TCB 206 may comprise a data structure that contains state information associated with a network connection”), and wherein each of the plurality of key values includes a primary key value of a primary key (Pong: at least ¶0055; “a search key, comprising the tuple (lip, lp, fip, fp)”);
generating, by the data intake and query system, a particular hash value for each metric of the plurality of metrics by processing a primary key value associated with the metric, with a hashing function (Pong: at least ¶0055; “hash function may utilize a search key, comprising the tuple (lip, lp, fip, fp), to generate a hash index”); and
storing, by the data intake and query system, a first metric of the plurality of metrics in a first hash bucket, wherein a hash value of the first hash bucket matches the particular hash value for the first metric (Pong: at least Fig. 4b, ¶0055; “selected one of the plurality of pointers may be utilized to locate a first TCB in a corresponding hash bucket chain”; note: extracted session with state information as metric).

Both Pong and He are related to the use of hash buckets.
Pong does not explicitly disclose, but He discloses wherein a measured value includes a numerical value and represents a performance measurement of a computing resource that is measured at a point in time (He: at least ¶0005; “a data collection node randomly sends collected elements for different objects to one or more work nodes, where a relationship between an object and an element may be represented as "element (object, value)", that is, "element (key, value)"; and the "value" included in the element may be a traffic value of the element, or information (such as a quantity of data packets included in the element) that can indicate a traffic value of the element”; note: traffic value or quantity of data packets as measured value that include a numerical value);
wherein said first hash bucket is associated with a time-based criterion (He: at least ¶0144; “determine I buckets to which each object mapped to the nth target bucket is mapped within the current time interval”; ¶0005 explains “elements for a same object are generally mapped to a same bucket”);
storing, by the data intake and query system, a second metric of the plurality of metrics in a second hash bucket when a time value associated with the second metric of the plurality of metrics does not correspond to the time-based criterion associated with the first hash bucket (He: at least ¶0179; “first object in the th bucket within a previous time interval of the current time interval”);
identifying, by the data intake and query system, an anomalous metric from among the plurality of metrics, the anomalous metric being a metric that includes an outlier key value relative to key values of other metrics (He: at least ¶¶0004-0005; “a heavy hitter and a heavy changer are two most important types of network anomalies” and “heavy hitter refers to a data stream that frequently occurs in a network, and is defined as a data stream having large overall traffic in this specification”; “"value" included in the element may be a traffic value of the element, or information (such as a quantity of data packets included in the element) that can indicate a traffic value of the element”; ¶0038 further discloses “a bucket is acquired as a target bucket, where total traffic of all elements mapped to the bucket within a current time interval is greater than or equal to a first threshold” and “whether an object is an abnormal object is identified according to total traffic of all elements mapped to a bucket and an upper traffic limit of a single object in the mapped-to bucket”; note: heavy or large traffic as anomalous); and
storing, by the data intake and query system, the anomalous metric in a quarantine bucket irrespective of the particular hash value of the anomalous metric (He: at least ¶0038; “a bucket is acquired as a target bucket, where total traffic of all elements mapped to the bucket within a greater than or equal to a first threshold” and “whether an object is an abnormal object is identified according to total traffic of all elements mapped to a bucket and an upper traffic limit of a single object in the mapped-to bucket”; note: mapping to target bucket is dependent on quantity of traffic, irrespective of hash value).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate He’s features of wherein a measured value includes a numerical value and represents a performance measurement of a computing resource that is measured at a point in time (He: at least ¶0005);
wherein said first hash bucket is associated with a time-based criterion (He: at least ¶¶0005, 0144);
storing, by the data intake and query system, a second metric of the plurality of metrics in a second hash bucket when a time value associated with the second metric of the plurality of metrics does not correspond to the time-based criterion associated with the first hash bucket (He: at least ¶0179);
identifying, by the data intake and query system, an anomalous metric from among the plurality of metrics, the anomalous metric being a metric that includes an outlier key value relative to key values of other metrics (He: at least ¶¶0004-0005, 0038); and
storing, by the data intake and query system, the anomalous metric in a quarantine bucket irrespective of the particular hash value of the anomalous metric (He: at least ¶0038) with Pong’s method that uses buckets for storage.
The suggestion/motivation for doing so would have been to implement “a method for identifying abnormal network traffic” (He: at least ¶0005).

Claim 30, a system claim, recites limitations that are similar to the limitations recited in Claim 1 above, and is rejected for the same reason(s).

As to Claim 4, Pong and He teach the method of claim 1, wherein the primary key is selected by a user (Pong: at least ¶¶0053, 0055; “hash function utilize a search key, comprising the tuple (lip, lp, fip, fp), to generate a hash index”; note: a user can be any user and does not have to be human; when the system make use of hash function that utilize a search key, the search key being utilized is selected). 

As to Claim 5, Pong and He teach the method of claim 1, wherein the primary key is included in a policy defining conditions for generating a new hash bucket (Pong: at least ¶0063; “when a new network connection is created between a host 101 and a host 100, a new TCB 206 may be created” and “new bucket” created; note: session would include lip, lp, ). 

As to Claim 7, Pong and He teach the method of claim 1, wherein the primary key is a source key, a host key, or a source type key (Pong: at least ¶0055; “a search key, comprising the tuple (lip, lp, fip, fp); ¶0045 teaches “a local internet protocol (IP) address, lip, a local port number, lp, a foreign IP address, fip, and a foreign port number, fp”; note: tuple (lip, lp, fip, fp) can be source key or host key). 

As to Claim 9, Pong and He teach the method of claim 1, wherein the primary key is not a time based key (Pong: at least ¶0055; “a search key, comprising the tuple (lip, lp, fip, fp); ¶0045 teaches “a local internet protocol (IP) address, lip, a local port number, lp, a foreign IP address, fip, and a foreign port number, fp”; note: i.e. none of these are a time key). 

As to Claim 15, Pong and He teach the method of claim 1, wherein each metric includes a plurality of dimensions, wherein each dimension is either a required dimension or an optional dimension (Pong: at least ¶¶0045-0046; “extracted information”; “lip, lp, fip and fp” are required for search key; note: the (IETF) specification for TCP and/or IP ), wherein each metric includes a key value for each required dimension, and wherein only some of the plurality of metrics include key values for some optional dimensions (Pong: at least Fig. 2, ¶¶0045-0046; IPs are required; “TCP” value is not required for recording UDP session and “UDP” value is not required for recording TCP session). 

As to Claim 16, Pong and He teach the method of claim 1, wherein each metric is a semi-structured metric or a structured metric (Pong: at least ¶0055; “tuple (lip, lp, fip, fp)”); note: addresses are, for example, structured as xxx.yyy.zzz.aaa - the portions separated by periods).

As to Claim 17, Pong and He teach the method of claim 1, wherein the measured value comprise a measure of a utilization of an electronic component, a temperature of the electronic component, or a voltage reading of the electronic component (He: at least ¶0005; "value" included in the element may be a traffic value of the element, or information (such as a quantity of data packets included in the element) that can indicate a traffic value of the element”; note: traffic value or quantity of data packets comprise measure of utilization).

Claims 2 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over US PGPUB 2006/0274762 by Pong in view of US PGPUB 2015/0319069 by He et al. (“He”), and further in view of US PGPUB 2018/0011852 by Bennett et al. (“Bennett”).

As to Claim 2, Pong and He teach the method of claim 1, further comprising: generating, by the data intake and query system, a new hash bucket for a particular metric having a particular hash value that does not match the hash value of the first hash bucket (Pong: at least ¶0063; “when a new network connection is created between a host 101 and a host 100, a new TCB 206 may be created. A corresponding new etag may also be created. The new etag may be entered into an existing bucket 504, or a new bucket may be created”; note: a new TCB would not have hash value matching an existing hash bucket).
Pong and He do not explicitly disclose, but Bennett discloses the new hash bucket being allocated to receive other metrics having hash values that match the hash value of the new bucket (Bennett: at least ¶¶0044, 0072; “creates a new head hash bucket unit, having a new set membership filter and a new hash block” and “if this query is answered in the affirmative, the query component 116 can conclude that the hash bucket unit 202 may include a hash entry being sought”; note: hash entry being sought is the matching hash value).
Bennett’s feature of new hash bucket being allocated to receive other metrics having hash values that match the hash value of the new bucket (Bennett: at least ¶0044, 0072) the method that uses buckets for storage disclosed by Pong and He.
The suggestion/motivation for allow for querying of membership of data using a bloom membership filter (Bennett: at least ¶0003).

As to Claim 6, Pong and He teach the method of claim 1, further comprising: generating, by the data intake and query system, a new hash bucket for a particular metric having a particular hash value that does not match the first hash bucket (Pong: at least ¶0063; “when a new network connection is created between a host 101 and a host 100, a new TCB 206 may be created. A corresponding new etag may also be created. The new etag may be entered into an existing bucket 504, or a new bucket may be created”; note: a new TCB would not have hash value matching an existing hash bucket), wherein the new hash bucket is generated in accordance with heuristics defining conditions that must be satisfied before generating the new hash bucket (Pong: at least ¶0063; “when a new network connection is created between a host 101 and a host 100, a new TCB 206 may be created. A corresponding new etag may also be created. The new etag may be entered into an existing bucket 504, or a new bucket note: a new network connection must be created to trigger creation of new bucket).
Pong and He do not explicitly disclose, but Bennett discloses the new hash bucket being allocated to receive other metrics having hash values that match a hash value of the new bucket (Bennett: at least ¶¶0044, 0072; “creates a new head hash bucket unit, having a new set membership filter and a new hash block” and “if this query is answered in the affirmative, the query component 116 can conclude that the hash bucket unit 202 may include a hash entry being sought”; note: hash entry being sought is a matching hash value).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Bennett’s feature of new hash bucket being allocated to receive other metrics having hash values that match a hash value of the new bucket (Bennett: at least ¶0044, 0072) the method that uses buckets for storage disclosed by Pong and He.
The suggestion/motivation for allow for querying of membership of data using a bloom membership filter (Bennett: at least ¶0003).

Claims 3, 8, 14 and 19-25 are rejected under 35 U.S.C. 103 as being unpatentable over US PGPUB 2006/0274762 by Pong in view of US PGPUB 2015/0319069 by He et al. (“He”), and further in view of US PGPUB 2018/0011852 by Bennett et al. (“Bennett”), and further in view of US PGPUB 2016/0342623 by Hsiao et al. (“Hsiao”).

As to Claim 3, Pong and He teach the method of claim 1, further comprising: generating, by the data intake and query system, a new hash bucket for a particular metric having a particular hash value that does not match the hash value of the first hash bucket (Pong: at least ¶0063; “when a new network connection is created between a host 101 and a host 100, a new TCB 206 may be created. A corresponding new etag may also be created. The new etag may be entered into an existing bucket 504, or a new bucket may be created”; note: a new TCB would not have a matching hash because it didn’t exist before); obtaining, by the data intake and query system, search results satisfying a search query indicative of a queried key value by searching hash buckets having hash values that match a hash value of the queried key value (Pong: at least ¶¶0054-0055; “traverse the located hash bucket chain during a search for a referenced TCB”).
Pong and He do not explicitly disclose, but Bennett discloses the new hash bucket being allocated to receive other metrics having hash values that match the hash value of the new bucket (Bennett: at least ¶¶0044, 0072; “creates a new head hash bucket unit, having a new set membership filter and a new hash block” and “if this query is answered in the affirmative, the query component 116 can conclude that the hash bucket unit 202 may ”; note: hash entry being sought is the matching hash value).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Bennett’s feature of new hash bucket being allocated to receive other metrics having hash values that match the hash value of the new bucket (Bennett: at least ¶0044, 0072) the method that uses buckets for storage disclosed by Pong and He.
The suggestion/motivation for allow for querying of membership of data using a bloom membership filter (Bennett: at least ¶0003).

Pong, He and Bennett do not explicitly disclose, but Hsiao discloses displaying, on a display device, the search results or data indicative of the search results (Hsiao: at least claim 12; search query uniquely identify the particular hash bucket from the plurality of hash buckets” and “search results to be displayed on the display of the mobile device”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Hsiao’s feature of displaying, on a display device, the search results or data indicative of the search results (Hsiao: at least claim 12) with the method that uses buckets for storage disclosed by Pong, He and Bennett.
Hsiao: at least claim 12, ¶0034; “search results” returned to mobile device and “search results to be displayed 216 on mobile device”) such as the information session in hash buckets (Pong: at least ¶0015; “TCB may comprise a data structure that maintains state information about the network connection”) that is disclosed by Pong, He and Bennett.

As to Claim 8, Pong and He teach the method of claim 1, further comprising: generating, by the data intake and query system, a new hash bucket for a particular metric having a particular hash value that does not match the hash value of the first hash bucket (Pong: at least ¶0063; “when a new network connection is created between a host 101 and a host 100, a new TCB 206 may be created. A corresponding new etag may also be created. The new etag may be entered into an existing bucket 504, or a new bucket may be created”; note: a new TCB would not have a matching hash because it didn’t exist before); obtaining, by the data intake and query system, search results satisfying a search query indicative of a queried key value by searching hash buckets having hash values that match a hash value of the queried key value (Pong: at least ¶¶0054-0055; “traverse the located hash bucket chain during a search for a referenced TCB”), wherein the search results are obtained by only searching the hash buckets that have hash values matching the hash value of the queried key value (Pong: at least ¶0053, corresponds to the search key, the TCB referenced by the tuple may be located).
Pong and He do not explicitly disclose, but Bennett discloses the new hash bucket being allocated to receive other metrics having hash values that match the hash value of the new bucket (Bennett: at least ¶¶0044, 0072; “creates a new head hash bucket unit, having a new set membership filter and a new hash block” and “if this query is answered in the affirmative, the query component 116 can conclude that the hash bucket unit 202 may include a hash entry being sought”; note: hash entry being sought is the matching hash value).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Bennett’s feature of new hash bucket being allocated to receive other metrics having hash values that match the hash value of the new bucket (Bennett: at least ¶0044, 0072) with the method that uses buckets for storage disclosed by Pong and He.
The suggestion/motivation for allow for querying of membership of data using a bloom membership filter (Bennett: at least ¶0003).

Pong, He and Bennett do not explicitly disclose, but Hsiao discloses displaying, on a display device, the search results or data indicative of the search results (Hsiao: at least claim 12; search query uniquely identify the particular hash bucket from the plurality of hash buckets” and “search results to be displayed on the display of the mobile device”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Hsiao’s feature of displaying, on a display device, the search results or data indicative of the search results (Hsiao: at least claim 12) with the method that uses buckets for storage disclosed by Pong, He and Bennett.
The suggestion/motivation for doing so would have been to output to users of mobile devices, the content in hash buckets (Hsiao: at least claim 12, ¶0034; “search results” returned to mobile device and “search results to be displayed 216 on mobile device”) such as the information session in hash buckets (Pong: at least ¶0015; “TCB may comprise a data structure that maintains state information about the network connection”) that is disclosed by Pong, He and Bennett.

As to Claim 14, Pong and He teach the method of claim 1, further comprising: generating, by the data intake and query system, a new hash bucket for a particular metric having a particular hash value that does not match the hash value of the first hash bucket (Pong: at least ¶0063; “when a new network connection note: a new TCB would not have a matching hash because it didn’t exist before); obtaining, by the data intake and query system, search results satisfying a search query indicative of a queried key value by searching hash buckets having hash values that match a hash value of the queried key value (Pong: at least ¶¶0054-0055; “traverse the located hash bucket chain during a search for a referenced TCB”), wherein the search results are obtained by only searching the hash buckets that have hash values matching the hash value of the queried key value (Pong: at least ¶0053, 0055; “a table lookup operation to locate a target TCB 407 may comprise a linear search process that traverses each element in the list of TCBs 403, 405 and 407 in a fixed order” and “if the information stored within the TCB 403 corresponds to the search key, the TCB referenced by the tuple may be located), and wherein the search query is input by a user (Pong: at least ¶¶0053, 0055; “utilize a search key, comprising the tuple (lip, lp, fip, fp), to generate a hash index”; note: a user can be any user and does not have to be human) and expressed in a pipelined search language (Pong: at least ¶0076; “computer program in the present context means any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information ).
Pong and He do not explicitly disclose, but Bennett discloses the new hash bucket being allocated to receive other metrics having hash values that match the hash value of the new bucket (Bennett: at least ¶¶0044, 0072; “creates a new head hash bucket unit, having a new set membership filter and a new hash block” and “if this query is answered in the affirmative, the query component 116 can conclude that the hash bucket unit 202 may include a hash entry being sought”; note: hash entry being sought is the matching hash value).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Bennett’s feature of new hash bucket being allocated to receive other metrics having hash values that match the hash value of the new bucket (Bennett: at least ¶0044, 0072) with the method that uses buckets for storage disclosed by Pong and He.
The suggestion/motivation for allow for querying of membership of data using a bloom membership filter (Bennett: at least ¶0003).

Pong, He and Bennett do not explicitly disclose, but Hsiao discloses displaying, on a display device, the search results or data indicative of the search results (Hsiao: at least claim 12; search query uniquely identify the particular hash bucket from the plurality of hash buckets” and “search results to be displayed on the display of the mobile device”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Hsiao’s feature of displaying, on a display device, the search results or data indicative of the search results (Hsiao: at least claim 12) with the method that uses buckets for storage disclosed by Pong, He and Bennett.
The suggestion/motivation for doing so would have been to output to users of mobile devices, the content in hash buckets (Hsiao: at least claim 12, ¶0034; “search results” returned to mobile device and “search results to be displayed 216 on mobile device”) such as the information session in hash buckets (Pong: at least ¶0015; “TCB may comprise a data structure that maintains state information about the network connection”) that is disclosed by Pong, He and Bennett.

As to Claim 19, Pong teaches a method comprising: ingesting, by a data intake and query system, a plurality of metrics (Pong: at least Figs. 2 & 4b, ¶0044; “TCB 206 may comprise a data structure that contains state information associated with a network connection) including key values (Pong: at least ¶0055; “tuple (lip, lp, fip, fp)”) and measured values (Pong: at least Figs. 2 & 4b, ¶0044; “TCB 206 may comprise a ), and wherein each of the plurality of key values includes a primary key value of a primary key (Pong: at least ¶0055; “a search key, comprising the tuple (lip, lp, fip, fp)”);
generating, by the data intake and query system, a particular hash value for each metric of the plurality of metrics by processing a primary key value associated with the metric, with a hashing function (Pong: at least ¶0055; “hash function may utilize a search key, comprising the tuple (lip, lp, fip, fp), to generate a hash index”);
storing, by the data intake and query system, a first metric of the plurality of metrics in a first hash bucket, wherein a hash value of the first hash bucket matches the particular hash value for the first metric (Pong: at least Fig. 4b, ¶0055; “hash index may be utilized to indicate a location within the hash table 402”);
generating, by the data intake and query system, a new hash bucket for a third metric having a particular hash value that does not match the hash value of the first hash bucket (Pong: at least ¶0063; “when a new network connection is created between a host 101 and a host 100, a new TCB 206 may be created. A corresponding new etag may also be created. The new etag may be entered into an existing bucket 504, or a new bucket may be created”; note: a new TCB would not have hash value matching an existing hash bucket);
Pong: at least ¶¶0054-0055; “traverse the located hash bucket chain during a search for a referenced TCB”).

Pong does not explicitly disclose, but He discloses wherein a measured value includes a numerical value and represents a performance measurement of a computing resource that is measured at a point in time (He: at least ¶0005; “a data collection node randomly sends collected elements for different objects to one or more work nodes, where a relationship between an object and an element may be represented as "element (object, value)", that is, "element (key, value)"; and the "value" included in the element may be a traffic value of the element, or information (such as a quantity of data packets included in the element) that can indicate a traffic value of the element”; note: traffic value or quantity of data packets as measured value that include a numerical value);
wherein said first hash bucket is associated with a time-based criterion (He: at least ¶0144; “determine I buckets to which each object mapped to the nth target bucket is mapped within the current time interval”; ¶0005 explains “elements for a same object are generally mapped to a same bucket”);
storing, by the data intake and query system, a second metric of the plurality of metrics in a second hash bucket when a time value associated with the second metric of the plurality of metrics does not correspond to the time-based criterion associated with the first hash bucket (He: at least ¶0179; “first object in the mapped ith bucket within a previous time interval of the current time interval”);
identifying, by the data intake and query system, an anomalous metric from among the plurality of metrics, the anomalous metric being a metric that includes an outlier key value relative to key values of other metrics (He: at least ¶¶0004-0005; “a heavy hitter and a heavy changer are two most important types of network anomalies” and “heavy hitter refers to a data stream that frequently occurs in a network, and is defined as a data stream having large overall traffic in this specification”; “"value" included in the element may be a traffic value of the element, or information (such as a quantity of data packets included in the element) that can indicate a traffic value of the element”; ¶0038 further discloses “a bucket is acquired as a target bucket, where total traffic of all elements mapped to the bucket within a current time interval is greater than or equal to a first threshold” and “whether an object is an abnormal object is identified according to total traffic of all elements mapped to a bucket and an upper traffic limit of a single object in the mapped-to bucket”; note: heavy or large traffic as anomalous);
storing, by the data intake and query system, the anomalous metric in a quarantine bucket irrespective of the particular hash value of the anomalous metric (He: at least ¶0038; “a bucket is acquired as a target bucket, where total traffic of all elements mapped to the bucket within a current time interval is greater than or equal to a first threshold” and “whether an object is an abnormal object is identified according to total traffic of all elements mapped to a bucket and an upper traffic limit of a single object in the mapped-to bucket”; note: mapping to target bucket is dependent on quantity of traffic, irrespective of hash value).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate He’s features of a measured value includes a numerical value and represents a performance measurement of a computing resource that is measured at a point in time (He: at least ¶0005);
wherein said first hash bucket is associated with a time-based criterion (He: at least ¶¶0005, 0144);
storing, by the data intake and query system, a second metric of the plurality of metrics in a second hash bucket when a time value associated with the second metric of the plurality of metrics does not correspond to the time-based criterion associated with the first hash bucket (He: at least ¶0179);
identifying, by the data intake and query system, an anomalous metric from among the plurality of metrics, the anomalous metric being a metric that includes an outlier key value relative to key values of other metrics (He: at least ¶¶0004-0005, 0038);
storing, by the data intake and query system, the anomalous metric in a quarantine bucket irrespective of the particular hash value of the anomalous metric (He: at least ¶0038) with Pong’s method that uses buckets for storage.
The suggestion/motivation for doing so would have been to implement “a method for identifying abnormal network traffic” (He: at least ¶0005).

Pong and He do not explicitly disclose, but Bennett discloses the new hash bucket being allocated to receive other metrics having hash values that match the hash value of the new bucket (Bennett: at least ¶¶0044, 0072; “creates a new head hash bucket unit, having a new set membership filter and a new hash block” and “if this query is answered in the affirmative, the query component 116 can conclude that the hash bucket unit 202 may include a hash entry being sought”; note: hash entry being sought is the matching hash value).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Bennett’s feature of new hash bucket being allocated to receive other metrics having hash values that match the hash value of the new bucket (Bennett: at least ¶0044, 0072) the method that uses buckets for storage disclosed by Pong and He.
Bennett: at least ¶0003).
Pong, He and Bennett do not explicitly disclose, but Hsiao discloses causing display, on a display device, of the search results or data indicative of the search results (Hsiao: at least claim 12; search query uniquely identify the particular hash bucket from the plurality of hash buckets” and “search results to be displayed on the display of the mobile device”).
 It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Hsiao’s feature of causing display, on a display device, of the search results or data indicative of the search results (Hsiao: at least claim 12) with the method disclosed by Pong, He and Bennett.
The suggestion/motivation for doing so would have been to output to users of mobile devices, the content in hash buckets (Hsiao: at least claim 12, ¶0034; “search results” returned to mobile device and “search results to be displayed 216 on mobile device”) such as the information session in hash buckets (Pong: at least ¶0015; “TCB may comprise a data structure that maintains state information about the network connection”) that is disclosed by Pong, He and Bennett.

As to Claim 20, Pong, He, Bennett and Hsiao teach the method of claim 19, wherein the primary key is selected by a user (Pong: at least ¶¶0053, 0055; “utilize a search key, comprising the tuple (lip, lp, fip, fp), to generate a hash index”; note: a user can be any user and does not have to be human).
 
As to Claim 21, Pong, He, Bennett and Hsiao teach the method of claim 19, wherein the primary key is included in a policy defining conditions for generating the new hash bucket (Pong: at least ¶0063; “When a new network connection is created between a host 101 and a host 100, a new TCB 206 may be created”; note: session would include lip, lp, fip, fp that represent IPs and ports of participants in a session – these are extracted when new connection is created).

As to Claim 22, Pong, He, Bennett and Hsiao teach the method of claim 19, wherein the new hash bucket is generated in accordance with heuristics defining conditions that must be satisfied before generating the new hash bucket (Pong: at least ¶0063; “when a new network connection is created between a host 101 and a host 100, a new TCB 206 may be created. A corresponding new etag may also be created. The new etag may be entered into an existing bucket 504, or a new bucket may be created”; note: a new network connection must be created to trigger creation of new bucket).

As to Claim 23, Pong, He, Bennett and Hsiao teach the method of claim 19, wherein the primary key is a source key, a host key, or a source type key (Pong: at least ¶0055; “a search key, comprising the tuple (lip, lp, fip, fp); ¶0045 teaches “a local internet protocol (IP) address, lip, a local port number, lp, a foreign IP address, fip, and a foreign port number, fp”; note: tuple (lip, lp, fip, fp) can be source key or host key).
 
As to Claim 24, Pong, He, Bennett and Hsiao teach the method of claim 19, wherein the search results are obtained by only searching the hash buckets matching the hash value of the queried key value (Pong: at least ¶0053, 0055; “a table lookup operation to locate a target TCB 407 may comprise a linear search process that traverses each element in the list of TCBs 403, 405 and 407 in a fixed order” and “if the information stored within the TCB 403 corresponds to the search key, the TCB referenced by the tuple may be located). 

As to Claim 25, Pong, He, Bennett and Hsiao teach the method of claim 19, wherein the primary key is not a time based key (Pong: at least ¶0055; “a search key, comprising the tuple (lip, lp, fip, fp); ¶0045 teaches “a local internet protocol (IP) address, lip, a local port number, lp, a foreign IP address, fip, and a foreign port number, fp”; note: i.e. none of these are a time key) .

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over US PGPUB 2006/0274762 by Pong in view of US PGPUB 2015/0319069 by He et al. (“He”), and further in view of US PGPUB 2018/0011852 by Bennett et al. (“Bennett”), and further in view of US Patent 6,597,661 by Bonn, and further in view of US PGPUB 2016/0342623 by Hsiao et al. (“Hsiao”).

As to Claim 11, Pong and He teach the method of claim 1, the method further comprising: generating, by the data intake and query system, a new hash bucket for a particular metric having a particular hash value that does not match the hash value of the first hash bucket (Pong: at least ¶0063; “when a new network connection is created between a host 101 and a host 100, a new TCB 206 may be created. A corresponding new etag may also be created. The new etag may be entered into an existing bucket 504, or a new bucket may be created”; note: a new TCB would not have a matching hash because it didn’t exist before);
obtaining, by the data intake and query system, search results satisfying a search query indicative of a queried key value by searching hash buckets having hash values that match a hash value of the queried key value (Pong: at least ¶¶0054-0055; “traverse the located hash bucket chain during a search for a referenced TCB”).
Pong and He do not explicitly disclose, but Bennett discloses the new hash bucket being allocated to receive other metrics having hash values that match the hash value of the new bucket (Bennett: at least ¶¶0044, 0072; “creates a new head hash bucket unit, having a new set membership filter and a new hash block” and “if this query is answered in the affirmative, the query component 116 can conclude that the hash bucket unit 202 may include a hash entry being sought”; note: hash entry being sought is the matching hash value).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Bennett’s feature of new hash bucket being allocated to receive other metrics having hash values that match the hash value of the new bucket (Bennett: at least ¶0044, 0072) the method that uses buckets for storage disclosed by Pong and He.
The suggestion/motivation for allow for querying of membership of data using a bloom membership filter (Bennett: at least ¶0003).
 
Pong, He and Bennett do not explicitly disclose, but Bonn discloses the quarantine bucket includes a plurality of anomalous metrics having different hash values (Bonn: Fig. 7B, Col. 6 Lines 20-30; “an inbound packet whose authorization record has expired. When the facility applies the hashing function to inbound packet 710 it obtains a hash result of 1250. The facility searches the list of authorization records note: bucket with authorization record 7410 as quarantine bucket; indexed as expired; indexing on plurality of expired packets) and searching the quarantine bucket (Bonn: Fig. 7B, at least Col. 6 Lines 25-27; “searches the list of authorization records for hash result 1250”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Bonn’s features of the quarantine bucket includes a plurality of anomalous metrics having different hash values (Bonn: Fig. 7B, Col. 6 Lines 20-30) and searching the quarantine bucket (Bonn: Fig. 7B, at least Col. 6 Lines 25-27) with the method that uses buckets for storage disclosed by Pong, He and Bennett.
The suggestion/motivation for doing so would have been to control flow of packet exchange in a data network based on a period of time when such packet exchange is allowed (Bonn: at least Col. 2 Lines 36-37 & 41-44).
Pong, He, Bennett and Bonn do not explicitly disclose, but Hsiao discloses displaying, on a display device, the search results or data indicative of the search results (Hsiao: at least claim 12; search query uniquely identify ).
 It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Hsiao’s feature of displaying, on a display device, the search results or data indicative of the search results (Hsiao: at least claim 12) with the method that uses buckets for storage disclosed by Pong, He, Bennett and Bonn.
The suggestion/motivation for doing so would have been to output to users of mobile devices, the content in hash buckets (Hsiao: at least ¶0038, claim 12; “search results are received and displayed”) -- such as the information session in hash buckets (Pong: at least ¶0015; “TCB may comprise a data structure that maintains state information about the network connection”) that is disclosed by Pong, He, Bennett and Bonn.

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over US PGPUB 2006/0274762 by Pong in view of US PGPUB 2015/0319069 by He et al. (“He”), and further in view of US PGPUB 2017/0031988 by Sun et al. (“Sun”), and further in view of US PGPUB 2018/0011852 by Bennett et al. (“Bennett”), and further in view of US PGPUB 2006/0095458 by Siu et al. (“Siu”).

As to Claim 12, Pong and He teach the method of claim 1, further comprising: generating, by the data intake and query system, a new hash bucket for a particular metric having a particular hash value (Pong: at least ¶0063; “when a new network connection is created between a host 101 and a host 100, a new TCB 206 may be created. A corresponding new etag may also be created. The new etag may be entered into an existing bucket 504, or a new bucket may be created”; note: a new TCB would not have a matching hash because it didn’t exist before), wherein the new hash bucket is operable to receive other metrics having a matching hash value (Pong: at least ¶0063 “new hash pointer table entry may refer to the new bucket. The new etag may be entered into the new bucket”).
Pong and He do not explicitly disclose, but Sun discloses said new hash bucket for a particular metric having a particular hash value that matches the hash value of the first hash bucket (Sun: at least ¶0024; “copies of each hash bucket, referred to as replicas”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Sun’s feature of said new hash bucket for a particular metric having a particular hash value that matches the hash value of the first hash bucket (Sun: at least ¶0024) with the method that uses buckets for storage disclosed by Pong and He.
Sun: at least ¶0024).
Pong, He and Sun do not explicitly disclose, but Bennett discloses the new hash bucket being allocated to receive other metrics having hash values matching the hash value of the new bucket (Bennett: at least ¶¶0044, 0072; “creates a new head hash bucket unit, having a new set membership filter and a new hash block” and “if this query is answered in the affirmative, the query component 116 can conclude that the hash bucket unit 202 may include a hash entry being sought”; note: hash entry being sought is the matching hash value).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Bennett’s feature of new hash bucket being allocated to receive other metrics having hash values matching the hash value of the new bucket (Bennett: at least ¶¶0044, 0072) the method that uses buckets for storage disclosed by Pong, He and Sun.
The suggestion/motivation for allow for querying of membership of data using a bloom membership filter (Bennett: at least ¶0003).
Pong, He, Sun and Bennett do not explicitly disclose, but Siu discloses wherein the new hash bucket is generated when the first hash bucket exceeds a threshold size value (Siu: at least ¶¶0044, 0053; “If the current bucket does not have room a hash operation is performed at block 805” and a a matching hash value”; Fig. 6 of Siu shows hash function 607 that produces 609 used as “index to point to which of the 0 to n buckets 611 the data record 601 is stored” – each bucket has “a” or “any” matching hash value).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Siu’s feature of wherein the new hash bucket is generated when the first hash bucket exceeds a threshold size value (Siu: at least ¶¶0044, 0053) with the method that uses buckets for storage disclosed by Pong, He, Sun and Bennett.
The suggestion/motivation for doing so would have been to allow for “storing generic keyed data records on disk-like storage that tends to speed up the access time of data on storage” (Siu: at least ¶0004).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over US PGPUB 2006/0274762 by Pong in view of US PGPUB 2015/0319069 by He et al. (“He”), and further in view of US PGPUB 2017/0031988 by Sun et al. (“Sun”), and further in view of US PGPUB 2018/0011852 by Bennett et al. (“Bennett”), and further in view of US Patent 6,597,661 by Bonn.

As to Claim 13, Pong and He teach the method of claim 1, further comprising: generating, by the data intake and query system, a new hash bucket for a particular metric having a particular hash value (Pong: at least ¶0063; “when a new network connection is created between a host 101 and a host 100, a new TCB 206 may be created. A corresponding new etag may also be created. The new etag may be entered into an existing bucket 504, or a new bucket may be created”; note: a new TCB would not have a matching hash because it didn’t exist before), wherein the new hash bucket is operable to receive other metrics having a matching hash value (Pong: at least ¶0063 “new hash pointer table entry may refer to the new bucket. The new etag may be entered into the new bucket”).
Pong and He do not explicitly disclose, but Sun discloses said new hash bucket for a particular metric having a particular hash value that matches the hash value of the first hash bucket (Sun: at least ¶0024; “copies of each hash bucket, referred to as replicas”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Sun’s feature of said new hash bucket for a particular metric having a particular hash value that matches the hash value of the first hash bucket (Sun: at least ¶0024) with the method that uses buckets for storage disclosed by Pong and He.
Sun: at least ¶0024).
Pong, He and Sun do not explicitly disclose, but Bennett discloses the new hash bucket being allocated to receive other metrics having hash values that match the hash value of the new bucket (Bennett: at least ¶¶0044, 0072; “creates a new head hash bucket unit, having a new set membership filter and a new hash block” and “if this query is answered in the affirmative, the query component 116 can conclude that the hash bucket unit 202 may include a hash entry being sought”; note: hash entry being sought is the matching hash value).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Bennett’s feature of new hash bucket being allocated to receive other metrics having hash values that match the hash value of the new bucket (Bennett: at least ¶¶0044, 0072) the method that uses buckets for storage disclosed by Pong, He and Sun.
The suggestion/motivation for allow for querying of membership of data using a bloom membership filter (Bennett: at least ¶0003).
Pong, He, Sun and Bennett do not explicitly disclose, but Bonn discloses the new hash bucket is generated when a time value of the particular metric is not within a time range of the first hash bucket (Bonn: Fig. 7B, Col. 6 Lines 20-30; “an inbound packet whose authorization record has expired. When the note; expiration time of authorization as time range of existing bucket and current time as time value of metric; buckets must be newly generated at some point). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Bonn’s feature of the new hash bucket is generated when a time value of the particular metric is not within a time range of the first hash bucket (Bonn: Fig. 7B, Col. 6 Lines 20-30) with the method that uses buckets for storage disclosed by Pong, He, Sun and Bennett.
The suggestion/motivation for doing so would have been to control flow of packet exchange in a data network based on a period of time when such packet exchange is allowed (Bonn: at least Col. 2 Lines 36-37 & 41-44).

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over US PGPUB 2006/0274762 by Pong in view of US PGPUB 2015/0319069 by He et al. (“He”), and further in view of US Patent 6,892,307 by Wood et al. (“Wood”).

As to Claim 18, Pong and He teach the method of claim 1.
Pong and He do not explicitly disclose, but Wood discloses each numerical value is a floating point value (Wood: at least Col. 6 Lines 30-35; “environment information such as time of request, source of request, connection speed, and/or client application (e.g., browser) environment information”; note: connection speed or browser version as floating point). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Wood’s feature of measured value  that is floating point value (Wood: at least Col. 6 Lines 30-35) with the session information taught by Pong and He.
The suggestion/motivation for doing so would have been to record various parameters of a network session such as the session information disclosed by Pong and He (Wood: at least Col. 6 Lines 30-35).

Claims 27 and 29 are rejected under 35 U.S.C. 103 as being unpatentable over US PGPUB 2006/0274762 by Pong in view of US PGPUB 2015/0319069 by He et al. (“He”), and further in view of US PGPUB 2018/0011852 by Bennett et al. (“Bennett”), and further in view of US PGPUB 2016/0342623 by Hsiao et al. (“Hsiao”), and further in view of US Patent 6,597,661 by Bonn.

As to Claim 27, Pong, He, Bennett and Hsiao teach the method of claim 19, wherein the data intake and query system searches only the hash buckets matching the hash value of the queried key value to obtain the search results (Pong: at least ¶0053, 0055; “a table lookup operation to locate a target TCB 407 may comprise a linear search process that traverses each element in the list of TCBs 403, 405 and 407 in a fixed order” and “if the information stored within the TCB 403 corresponds to the search key, the TCB referenced by the tuple may be located).
Pong, He, Bennett and Hsiao do not explicitly disclose, but Bonn discloses the quarantine bucket includes a plurality of anomalous events having different hash values (Bonn: Fig. 7B, Col. 6 Lines 20-30; “an inbound packet whose authorization record has expired. When the facility applies the hashing function to inbound packet 710 it obtains a hash result of 1250. The facility searches the list of authorization records for hash result 1250, and identifies authorization record 741 as matching the inbound packet 710. Because the expiration time of authorization record 741, 12:02:27.131, is earlier than the current time 760, 12:02:28.220, FIG. 7B shows that the facility removes authorization record 741 and discards inbound packet 710”; note: bucket with authorization record 7410 as quarantine plurality of expired packets), and wherein the data intake and query system searches the quarantine bucket in addition to only the hash buckets matching the hash value of the queried key value to obtain the search results (Bonn: Fig. 7B, at least Col. 6 Lines 25-27; “searches the list of authorization records for hash result 1250”; note: one cannot be only searching a container and then search another container).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Bonn’s features of the quarantine bucket includes a plurality of anomalous events having different hash values (Bonn: Fig. 7B, Col. 6 Lines 20-30), and wherein the data intake and query system searches the quarantine bucket in addition to only the hash buckets matching the hash value of the queried key value to obtain the search results (Bonn: Fig. 7B, at least Col. 6 Lines 25-27) with method that uses buckets for storage disclosed by Pong, He, Bennett and Hsiao.
The suggestion/motivation for doing so would have been to control flow of packet exchange in a data network based on a period of time when such packet exchange is allowed (Bonn: at least Col. 2 Lines 36-37 & 41-44).

As to Claim 29, Pong, He, Bennett and Hsiao teach the method of claim 19. 
Pong, He, Bennett and Hsiao do not explicitly disclose, but Bonn discloses wherein a new hash bucket is generated even if an existing hash bucket has a matching Bonn: Fig. 7B, Col. 6 Lines 20-30; “an inbound packet whose authorization record has expired. When the facility applies the hashing function to inbound packet 710 it obtains a hash result of 1250. The facility searches the list of authorization records for hash result 1250, and identifies authorization record 741 as matching the inbound packet 710. Because the expiration time of authorization record 741, 12:02:27.131, is earlier than the current time 760, 12:02:28.220, FIG. 7B shows that the facility removes authorization record 741 and discards inbound packet 710”; note; expiration time of authorization as time range of existing bucket and current time as time value of metric; buckets must be newly generated at some point). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Bonn’s feature of wherein a new hash bucket is generated even if an existing hash bucket has a matching hash value when a time value of an event is not within a time range of the existing hash bucket (Bonn: Fig. 7B, Col. 6 Lines 20-30) with the method that uses buckets for storage disclosed by Pong, He, Bennett and Hsiao.
The suggestion/motivation for doing so would have been to control flow of packet exchange in a data network based on a period of time when such packet exchange is allowed (Bonn: at least Col. 2 Lines 36-37 & 41-44).

Claim 28 is rejected under 35 U.S.C. 103 as being unpatentable over US PGPUB 2006/0274762 by Pong in view of US PGPUB 2015/0319069 by He et al. (“He”), and further in view of US PGPUB 2018/0011852 by Bennett et al. (“Bennett”), and further in view of US PGPUB 2016/0342623 by Hsiao et al. (“Hsiao”), and further in view of US PGPUB 2006/0095458 by Siu et al. (“Siu”).

As to Claim 28, Pong, He, Bennett and Hsiao teach the method of claim 19.
Pong, He, Bennett and Hsiao do not explicitly disclose, but Siu discloses wherein the new hash bucket is generated even if the first hash bucket has a matching hash value when the size of the first hash bucket exceeds a threshold size value (Siu: at least ¶¶0044, 0053; “If the current bucket does not have room a hash operation is performed at block 805” and a subsequent step 811 creates the new bucket; note: the claim requires that existing hash bucket has “a matching hash value”; Fig. 6 of Siu shows hash function 607 that produces 609 used as “index to point to which of the 0 to n buckets 611 the data record 601 is stored” – each bucket has “a” or “any” matching hash value).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Siu’s feature of wherein the new hash bucket is generated even if the first hash bucket has a matching hash value when the size of the first hash bucket exceeds a threshold size value (Siu: at least ) with the method that uses buckets for storage disclosed by Pong, He, Bennett and Hsiao.
The suggestion/motivation for doing so would have been to allow for “storing generic keyed data records on disk-like storage that tends to speed up the access time of data on storage” (Siu: at least ¶0004).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to Huen Wong, whose telephone number is (571)270-3426.  The examiner can normally be reached on Monday – Friday (10:00AM-6:30PM).	
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/H.W./
Examiner, AU 2168
01 July 2021

/IRETE F EHICHIOYA/Supervisory Patent Examiner, Art Unit 2168