DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA  and is in response to communications filed on 2/28/2020 in which claims 1-29 are presented for examination.

Priority
Acknowledgment is made of parent Application No. 13/956,338, filed on 7/31/2013.

Drawings
Drawings have been acknowledged and are acceptable for examination purposes.

Specification
Specification has been acknowledged and is acceptable for examination purposes.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:


Claim 7 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 
Claim 7 recites, “The computer-implemented method of claim 1, further comprising: causing display of a list of searches for the identified events of interest that matched a plurality of criteria for the plurality of metrics, wherein each search in the list includes: a name of the search associated with the identified event of interest, a type of search performed for the event of interest.”
	There doesn’t appear to be support for these limitations in the specification.  For instance, while there is support for names and types of data, names and types of searches don’t appear anywhere in the specification.  Note, that these aren’t the same things.  A name of the search could be interpreted as a predetermined search that occurs on a predetermined basis such as a periodic report where the report has a particular descriptive name.  A type of search could be the criteria and/or parameters involved in the search such as a search for login attempts arranged by date and time.  
	Although periodic searches appear in the specification, the specification doesn’t mention naming of the periodic searches.  Also, although there’s criteria and 
	This rejection may be overcome by Applicant pointing out where in the specification this limitation is supported or by amending or cancelling the claim.

Claim 10 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 
	Claim 10 recites, “The computer-implemented method of claim 7, wherein the list further includes a status field that includes a first selectable option that enables a search for the event of interest and a second selectable option that disables the search for the event of interest.”
	There doesn’t appear to be support for these limitations in the specification.  For instance, while there is support for searches, a status field and an option for disabling searches don’t appear anywhere in the specification.  Synonyms for “disable” was also searched for such as “stop” and “pause”, but support for these couldn’t be found either.
	This rejection may be overcome by Applicant pointing out where in the specification this limitation is supported or by amending or cancelling the claim.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-29 are rejected under 35 U.S.C. 103 as being unpatentable over Ginter et al. US 20050015624 A1 (hereinafter referred to as “Ginter”) in view of Carasso “Exploring Splunk” (hereinafter referred to as “Carasso”).

As per claim 1, Ginter teaches:
A computer-implemented method comprising: 
receiving selection of a plurality of metrics from a set of metrics (Ginter, [0132] – Metrics can be selected and the different types of information can be displayed.  Paragraphs [0133] and [0136] – The web server may be used in connection with displaying pages to a console in response to a user selection or obtaining settings for different threshold and alarm levels such as may be used in connection with notifications); 
Although Ginter teaches regular expressions and obtaining values periodically, Ginter doesn’t go into detail about generating a search query based on selections or obtaining values within a configurable time period, however, Exploring Splunk teaches:
for at least one metric in the selection of the plurality of metrics in response to the selection: 
generating a search query based on the at least one metric, the search query including a criterion for a field value, identifying events of interest by determining that the field value in a set of machine data matches the criterion in the search query (Exploring Splunk, pg. 55, paragraph 2 – Machine data.  Pg. 57, paragraph 2 – By entering the kinds of values you seek (such as a client IP address in web logs), Splunk generates a regular expression that extracts similar values, wherein this is interpreted as generating a search query based on selection of metrics), and 
calculating a value for the at least one metric from the identified events of interest (Exploring Splunk, pg. 69, paragraph 7 – The user can track whether a certain number of things happen within a certain time period); and 
causing display of identifiers of the plurality of metrics and the value corresponding to the at least one metric, wherein a display order of the plurality of metrics is adjustable (Exploring Splunk, pg. 34, - Events can be retrieved where the events can be in a sorted order based on different calculations).
It would have been obvious for one of ordinary skill in the art at the time of the filing of the application to modify Ginter’s invention in view of Exploring Splunk in order to generate a search query from selections of metrics and configure a window of time for displaying metrics; this is advantageous because it allows the user to create a regular expression without knowing the syntax and to see alerts that happen within a time period respectively (Exploring Splunk, pgs. 57 and 69).

As per claim 2, Ginter as modified teaches:
The computer-implemented method of claim 1, further comprising: 
receiving selection of a configurable threshold to be applied to the value of the at least one metric from the plurality of metrics (Ginter, Abstract and [0132] – The alarm thresholds may be user defined); and 
causing display of an indicator indicating that the value of the at least one metric exceeds the configurable threshold (Ginter, Fig. 14 and [0310] – Associated with each of the metrics is a level indicator. The level indicator may indicate a color or other designation associated uniquely with each alarm state within an embodiment. For example, in one embodiment, the indicator may be green when the metric level is in the normal range, yellow when the metric level is in the warning range, and red when in the highest severity range).

As per claim 3, Ginter as modified teaches:
The computer-implemented method of claim 1, further comprising: 
receiving selection of a configurable threshold to be applied to a change in the value of the at least one metric from the plurality of metrics (Exploring Splunk, pg. 69 fig. 5-10 shows “trigger if” options which allow the user to specify the threshold); and 
causing display of an indicator indicating that the change in the value of the at least one metric exceeds the configurable threshold (Exploring Splunk, pg. 55 – Creating Alerts about Potential Problems shows how to track and send alerts when metrics cross thresholds).


The computer-implemented method of claim 1, further comprising: 
causing display of a drill down view of the machine data underlying the value of the at least one metric from the plurality of metrics upon selection of the at least one metric (Exploring Splunk, pg. 9, paragraph 3 – Splunk can drill down into a time period when a problem first occurred.  See also pages 63 and 67 as well as fig. 5-9 for a drill down chart).

As per claim 5, Ginter as modified teaches:
The computer-implemented method of claim 1, wherein the value corresponding to the at least one metric is determined based upon a number of events identified as search query results (Exploring Splunk, pg. 69, paragraph 7 – The user can track whether a certain number of things happen within a certain time period.  Fig. 5-10 shows scheduling an alert with a configurable window of time).

As per claim 6, Ginter as modified teaches:
The computer-implemented method of claim 1, further comprising: 
receiving selection of a time period for the plurality of metrics, wherein the identified events of interest fall within the time period (Exploring Splunk, pg. 69, paragraph 7 – The user can track whether a certain number of things happen within a certain time period.  Fig. 5-10 shows scheduling an alert with a configurable window of time).


The computer-implemented method of claim 1, further comprising: 
causing display of a list of searches for the identified events of interest that matched a plurality of criteria for the plurality of metrics (Carasso, pg. 72, paragraphs 2 and 3 – Saved searches can be displayed in a list and selected by a user to display its parameters), 
wherein each search in the list includes: 
a name of the search associated with the identified event of interest (Ginter, [0090] – Host name, user name, certificate name and/or any other information that might serve to identify who or what is connected to the control network via the VPN connection, wherein these are interpreted as possible names of a search [0281] – Metric name), 
a type of search performed for the event of interest (Ginter, [0016] – The summary may identify at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack. The summary may identify at least one target associated with an attack, wherein said target is one of: a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack, wherein the type of attack that is searched for is interpreted as the type of search).

As per claim 8, Ginter as modified teaches:
The computer-implemented method of claim 7, further comprising: 
causing display of a drill down view of a machine data underlying the event of interest associated with the search upon selection of the search (Exploring Splunk, pg. 9, paragraph 3 – Splunk can drill down into a time period when a problem first occurred.  See also pages 63 and 67 as well as fig. 5-9 for a drill down char).

As per claim 9, Ginter as modified teaches:
The computer-implemented method of claim 7, wherein the list further includes 
a domain within which the event of interest is identified (Ginter, [0014] and [0016] – Security events of interest are reported [0022] – The method may perform pattern matching).

As per claim 10, Ginter as modified teaches:
The computer-implemented method of claim 7, wherein the list further includes 
a status field that includes a first selectable option that enables a search for the event of interest (Carasso, pg. 23, paragraph 11, A search option is displayed in the search dashboard, wherein the search dashboard is interpreted as the status field because it includes a selectable option that enables searches) and 
a second selectable option that disables the search for the event of interest (Carasso, pg. 26, paragraphs 2-4 – Pausing, stopping and cancelling searches can be performed in the system, wherein this is interpreted as disabling searches for events of interest).

As per claim 11, Ginter as modified teaches:
The computer-implemented method of claim 7, wherein the type of search includes any one of 
a scheduled search (Ginter, [0009] – The periodic report may include a summary of a selected set of one or more data sources and associated values for a time interval since a last periodic report was sent to a reporting destination.  Paragraph [0227] – Time intervals may be user specified as well as defined using one or more default values that may vary with an embodiment) and 
a real-time search (Ginter, [0067] – The security event monitoring system provides data in real time).

As per claim 12, Ginter as modified teaches:
The computer-implemented method of claim 7, wherein for each event of interest for which the scheduled search is performed, causing display of a date and time when a next search is scheduled to be performed to identify a presence of an event of interest (Ginter, [0009] – The periodic report may include a summary of a selected set of one or more data sources and associated values for a time interval since a last periodic report was sent to a reporting destination.  Paragraph [0227] – Time intervals may be user specified as well as defined using one or more default values that may vary with an embodiment).

As per claim 13, Ginter as modified teaches:
The computer-implemented method of claim 1, wherein the at least one metric from the plurality of metrics is related to operational performance in the information technology environment (Ginter, [0021], [0022] and [0111] – Events of interest may be obtained by parsing data.  Paragraph [0232] – A determination is made as to whether the input data has any one or more matches in accordance with predefined string values indicating events of interest.  Fig. 14 shows possible selections of metrics such as logins, login failures, resource usage, etc., wherein resource usage is interpreted as operational performance).

As per claim 14, Ginter as modified teaches:
The computer-implemented method of claim 1, wherein the machine data include unstructured or semi-structured data (Ginter, [0146] – Raw data may be gathered and alerts may be generated, wherein gathering raw data is interpreted as gathering machine data and generating alerts from that data is interpreted as separating the data into events.  Paragraph [00236] – Schemas can be formed).

As per claim 15, Ginter as modified teaches:
The computer-implemented method of claim 1, wherein the machine data is log data (Ginter [0158] – The log agent searches the log file for predetermined strings of interest, and may store in memory the string found as well as one or more corresponding metrics such as, for example, the number of occurrences of a string).

As per claim 21, Ginter as modified teaches:
The computer-implemented method of claim 1, further comprising: 
causing display of, for the at least one metric displayed with the value, a number representing a change in the value relative to a configurable threshold associated with the at least one metric, wherein the change in the value of the at least one metric corresponds to an increase or a decrease in the value relative to the configurable threshold over a configurable time period (Exploring Splunk, pg. 69 fig. 5-10 shows “trigger if” options which allow the user to specify the threshold).

As per claim 22, Ginter as modified teaches:
The computer-implemented method of claim 1, further comprising: 
separating the set of machine data into two or more events by identifying a presence of a feature in the set of machine data, wherein the feature identifies a boundary used to separate the set of machine data into the two or more events, and wherein the two or more events comprise the events of interest (Exploring Splunk, pg. 57, paragraph 2 – By entering the kinds of values you seek (such as a client IP address in web logs), Splunk generates a regular expression that extracts similar values (this is especially helpful for the regular expression-challenged among us), wherein this is interpreted as generating a search query based on selection of metrics).

As per claim 23, Ginter as modified teaches:
The computer-implemented method of claim 22, wherein the feature includes a leading punctuation, a word, a white space, or a breaking character (Exploring Splunk, pg. 57, paragraph 2 – By entering the kinds of values you seek (such .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Petersen et al. US 20120246303 A1 teaches log collection, structuring, and processing (Title).
Manes et al. US 20130047039 A1 teaches system and method for computer analysis (Title).
Wilson et al. US 20080086345 A1 teaches asset data collection, presentation, and management (Title).
Kass et al. US 20080086363 A1 teaches technology event detection, analysis, and reporting system (Title).
Qamhiyah et al. US 20060041535 A1 teaches a geometric search engine (Title).

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthew Ellis whose telephone number is (571)270-3443.  The examiner can normally be reached on Monday-Friday 8AM-5PM.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

August 6, 2021
/MATTHEW J ELLIS/Primary Examiner, Art Unit 2152