Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
1. 	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this
application is eligible for continued examination under 37 CFR 1.114, and the fee set
forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on
08/17/2021 has been entered.
Notice to Applicant
The following is a Non-Final Office action. In response to Examiner’s Final Rejection of 03/19/2021, Applicant, on 08/17/2021, amended claims 1, 7, 9 and 15. Claims 1- 3 and 5-20 are pending in this application and have been rejected below.

Response to Arguments
Applicant’s arguments filed August 17, 2021 have been fully considered but they are not persuasive and/or are moot in view of the revised rejections.  Applicant’s arguments will be addressed herein below in the order in which they appear in the response filed August 17, 2021.
On page 8 of the Remarks regarding, the U.S.C. § 103 rejection, Applicant argues cited reference DeSmet does not disclose amended claim language “the .
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all 

obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 – 3, 5-7, and  9 -20 are rejected under 35 U.S.C. 103 as being unpatentable over Kharisma et al., US Publication No. 20180089188A1 [hereinafter Kharisma], in view of R. Jampa, Storing and Indexing Expressions in Database Systems, University of New Orleans, January 20, 2006 [hereinafter Jampa] .
Regarding Claim 1, 
Kharisma teaches
A system comprising: memory to store a metric database table, the metric database table including a metric key, the metric database table further including a metric descriptor associated with the metric key, and metric logic associated with the metric key, the metric logic being stored in the metric database table… that references a type of a subunit of an electronic device, the metric logic executable against a device datastore.  to extract metric data from the device datastore, the device datastore to store operational data of a plurality of electronic devices, wherein the plurality of electronic devices includes subunits of different types classes and of different types within each class; (Kharisma Figure 4- illustrates multiple data stores (i.e. incident datastore, device datastore, etc.; Par. 81-“FIG. 1 is a high-level system diagram in which an embodiment may be implemented. The system 10 includes data intake and query system 12 interconnected to various components over a network 14. The components include a source 16 of metrics data, another source 18 of non-metrics data, and another source 20 of both metrics and non-metrics data. The sources 16, 18, and/or 20 ("the sources") include computing resources that can generate data (e.g., log data) or are the basis from which data can be generated (e.g., measured performance). The data from these sources can be transferred to the data intake and query system 12 over the network 14.”; Par. 97 – “The SPLUNK.RTM. ENTERPRISE system is the leading platform for providing real-time operational intelligence that enables organizations to collect, index, and search machine-generated data from … mobile devices that power their businesses.";  Par. 112-“ Client devices 28 of FIG. 3 represent any computing device capable of interacting with one or more host devices 30 via a network (connected or wireless); Par. 122-123-“ In an embodiment, the monitoring component 40 may also monitor and collect performance data related to one or more aspects of the operational state of a client application 38 and/or client device 28. For example, a monitoring component 40 may be configured to collect device performance information by monitoring one or more client device…In an embodiment, the monitoring component 40 may also monitor and collect other device profile information including, for example, a type of client device, a manufacturer and model of the device, versions of various software applications installed on the device, and so forth.” “Par. 310-" The ingested metrics data can be distinguished over non-metrics data because metrics data has unique properties that are different from other types of data. For example, the source values of metrics map to metric names indicative of a type of measurement and computing resource.”)
and a processor coupled to the memory, the processor to query the metric database table to obtain the metric logic, the processor to execute the metric logic, … to extract the metric data related to the type of the subunit (Kharisma Par. 90-“ data intake and query system can obtain the metrics data from the sources To speed up certain types of metrics queries, acceleration tables that contain metrics data and/or data related to the metrics data can be created from earlier search queries based on msidx files. FIG. 58 includes an example of an acceleration table 410. The mechanism that creates the acceleration table 410 can be initiated automatically or manually by a user per search, and/or per bucket.” Par. 107-“For example, the one or more computing devices may include one or more memories that store instructions for implementing the various components described herein, one or more hardware processors configured to execute the instructions stored in the one or more memories, and various data repositories in the one or more memories for storing data structures utilized and manipulated by the various components.”;)
the processor to associate extracted metric data to a class of the subunit and output the extracted metric data in association with the metric key to an incident datastore to monitor for incidents related to operations of the class of the subunit among the plurality of electronic devices  (Kharisma Par. 123-“In an embodiment, the monitoring component 40 may also monitor and collect other device profile information including, for example, a type of client device, a manufacturer and model of the device [model equates to class], versions of various software applications installed on the device, and so forth.”; Par. 169-170- FIG. 15 illustrates an example data model object selection graphical user interface 90 that displays available data objects 92 for the selected data object model 88. The user may select one of the displayed data model objects 94 for use in driving the report generation process. “; Par. 210-"These visualizations can also include an “incident review dashboard” that enables a user to view and act on “notable events.” These notable events can include: (1) a single event of high importance, such as any activity from a known web attacker; or (2) multiple events that collectively warrant review, such as a large number of authentication failures on a host followed by a successful authentication.; Par. 128-“In an embodiment, a forwarder 42 may comprise a service accessible to client devices 28 and host devices 30 via a network 34. For example, one type of forwarder 42 may be capable of consuming vast amounts of real-time data from a potentially large number of client devices 28 and/or host devices 30.”) 
the processor to output the metric descriptor in association with the extracted metric data, wherein the metric descriptor corresponds to the class of the subunit and is generic to different types of the subunit within the class (Kharisma Par. 105-“ In some embodiments, a common field name may be used to reference two or more fields containing equivalent data items, even though the fields may be associated with different types of events that possibly have different data formats and different extraction rules. By enabling a common field name to be used to identify equivalent fields from different types of events generated by disparate data sources, the system facilitates use of a “common information model” (CIM) across the disparate data sources (further discussed with respect to FIG. 7).”[By Par. 123-“In an embodiment, the monitoring component 40 may also monitor and collect other device profile information including, for example, a type of client device, a manufacturer and model of the device [model equates to class], versions of various software applications installed on the device, and so forth.”; Par. 210-"These visualizations can also include an “incident review dashboard” that enables a user to view and act on “notable events.” These notable events can include: (1) a single event of high importance, such as any activity from a known web attacker; or (2) multiple events that collectively warrant review, such as a large number of authentication failures on a host followed by a successful authentication.; Par. 128-“In an embodiment, a forwarder 42 may comprise a service accessible to client devices 28 and host devices 30 via a network 34. For example, one type of forwarder 42 may be capable of consuming vast amounts of real-time data from a potentially large number of client devices 28 and/or host devices 30.”) 
Kharisma teaches database storage (Kharisma See Figure 4)  and the following feature is expounded upon by Jampa:
…the metric logic being stored in the metric database table “as an executable query expression” …(Jampa Section 2.2.3 Handling Expressions (Pgs. 8-9) states "Expressions must adhere to the SQL WHERE clause format. ... Expressions are stored in a column of a user table with an Expression datatype. The values stored in a column of this type are constrained to be Expressions. A user table can have one or more Expression type columns." Section 2.2.2- Evaluation of Expression; Section 3.3.1- Algorithm-“Here two tables are used, one for storing Predicates and the other is for storing Expressions. The
output of an input data-item to be evaluated would be the Expression-id’s of the Expression table that are evaluated to True”)
…by directly executing the executable query expression… (Jampa Section 2.2.3 Handling Expressions (Pgs. 8-9) states "Expressions must adhere to the SQL WHERE clause format. ... Expressions are stored in a column of a user table with an Expression datatype. The values stored in a column of this type are constrained to be Expressions. A user table can have one or more Expression type columns." Section 2.2.2- Evaluation of Expression; Section 3.3.1- Algorithm-“Here two tables are used, one for storing Predicates and the other is for storing Expressions. The
output of an input data-item to be evaluated would be the Expression-id’s of the Expression table that are evaluated to True”)
Kharisma discloses the use of query language and database infrastructure.  Jampa improves upon the database infrastructure.  It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Kharisma to utilize query expressions, as taught by Jampa, with a reasonable expectation of success of arriving at the claimed invention. One of ordinary skill in the art would have been motivated to make the modification to the teachings of Kharisma with the motivation more powerful model of storing and handling expressions. (Jampa Conclusion).
Regarding Claim 2 and Claim 10, 
the system of claim 1,… and the method of claim 9, further comprising…
… wherein the processor is to continually query the metric database table (cycling through cycling through a plurality of metric keys) to obtain the metric logic, execute the metric logic against the device datastore to extract the metric data, and output extracted metric data in association with the metric key to the incident datastore. (Kharisma Par. 90-“In some cases, the sources can generate, process, and/or store semi-structured or structured metrics data. The metrics data includes at least one metric, which includes at least one or only one numerical value that represents a performance measurement of a characteristic of a computing resource. The data intake and query system can obtain the metrics data from the sources over the network 14 via a variety of mechanism, which are described in greater detail below.”;  Par. 208 – “During operation, the SPLUNK® APP FOR ENTERPRISE SECURITY facilitates detecting “notable events” that are likely to indicate a security threat. These notable events can be detected in a number of ways: (1) a user can notice a correlation in the data and can manually identify a corresponding group of one or more events as “notable;” or (2) a user can define a “correlation search” specifying criteria for a notable event, and every time one or more events satisfy the criteria, the application can indicate that the one or more events are notable. A user can alternatively select a pre-defined correlation search provided by the application. Note that correlation searches can be run continuously or at regular intervals (e.g., every hour) to search for notable events. Upon detection, notable events can be stored in a dedicated “notable events index,” which can be subsequently accessed to generate various visualizations containing security-related information. Also, alerts can be generated to notify system operators when important notable events are discovered.")
  Regarding Claim 3, 
Kharisma in view of Jampa teach the system of claim 2,…
wherein extracted metric data is accumulated at the incident datastore, wherein the processor is to timestamp extracted metric data, wherein metric data extracted at different times are distinguishable by respective timestamps. (Kharisma Par. 141 – “At step 518, the indexer stores the events with an associated timestamp in a data store 48. Timestamps enable a user to search for events based on a time range. In one embodiment, the stored events are organized into “buckets,” where each bucket stores events associated with a specific time range based on the timestamps associated with each event. This may not only improve time-based searching, but also allows for events with recent timestamps, which may have a higher likelihood of being accessed, to be stored in a faster memory to facilitate faster retrieval. For example, buckets containing the most recent events can be stored in flash memory rather than on a hard disk”).
Regarding Claim 4 - Cancelled 
Regarding Claim 5 and Claim 13, 
Kharisma in view of Jampa teach the system of claim 1,… and the method of claim 11,…
wherein the incident datastore comprises an incident database table, wherein the processor (wherein outputting the extracted metric data to an incident datastore) is to insert the extracted metric data into the incident (single) database table. (Kharisma Par. 190 – “The configuration files for events retrieved at search time can be used to populate a summarization table by applying all the extraction rules of the retrieved events to the retrieved events."; Par. 198-" In some embodiments, the system 32 can maintain a separate summarization table for each of the above-described time-specific buckets that stores events for a specific time range. A bucket-specific summarization table includes entries for specific field value combinations that occur in events in the specific bucket.”)
Regarding Claim 6, Kharisma in view of Jampa teach the system of claim 5, …
Kharisma teaches 
wherein the incident datastore comprises only a single incident database table. (Kharisma Par. 99-"In some instances, machine data can have a predefined format, where data items with specific data formats are stored at predefined locations in the data. For example, the machine data may include data stored as fields in a database table."; Par. 180-181-“ To speed up certain types of queries, some embodiments of the system 32 create a high performance analytics store, which can be referred to as a “summarization table,” that contains entries for specific field-value pairs. A summarization table may be populated in response to a search query applied to events. The system can then use the summarization table to accelerate subsequent queries related to the events subject to the original search query. As such, the system can accelerate the subsequent queries by using the data contained in the summarization table to return search results, while avoiding the processing otherwise required to obtain the original search results. For example, the system 32 may receive a search query for events that have specified keywords. A summarization table produced in response to the search query can be used for perform subsequent statistical queries related to the events including the specified keywords.”)
Regarding Claim 7, Kharisma in view of Jampa teach the system of claim 1,…
Kharisma teaches 
wherein, the processor is further to output the metric descriptor to the incident datastore to display the metric descriptor in association with the extracted metric data at an incident user interface. (Kharisma Par. 407 – “FIG. 30 illustrates a user interface screen of a metric catalog displaying a selected metric source according to some embodiments of the present disclosure. As shown, when a metric 284 is selected, the interface 270 displays one or more tiles 286. Each of the tiles 286 is configured to display a sub-set of information associated with a selected metric. For example, in the illustrated embodiment, the interface 270 includes a general description tile 286-1, a dimensions tile 286-2, a metrics data tile 286-3, an event mapping tile 286-4, and a tag tile 286-5. However, it should be appreciated that fewer, additional, and/or alternative tiles can be included on the interface 270. The general description tiles 286-1 is configured to display general catalog information of a selected metric 284, such as a description of the metric, a type (e.g., a numerical type such as gauge, value, percentage, aggregate value, etc.), a default visualization type (discussed in more detail below), a unit (such as a percentage, MB, GB, clock cycles, etc.), and a collection frequency. The description of the metric is configured to provide a user with a general overview of the event and/or machine-generated data represented by the data”)
  Regarding Claim 9, 
Kharisma teaches
A method comprising: querying a metric database table to obtain metric logic, the metric database table storing the metric logic in association with a metric key and a metric descriptor, the metric logic being stored in the metric database table …that references a type of a subunit of an electronic device; (Kharisma Figure 4- illustrates multiple data stores (i.e. incident datastore, device datastore, etc.; Par. 81-“ FIG. 1 is a high-level system diagram in which an embodiment may be implemented. The system 10 includes data intake and query system 12 interconnected to various components over a network 14. The components include a source 16 of metrics data, another source 18 of non-metrics data, and another source 20 of both metrics and non-metrics data. The sources 16, 18, and/or 20 ("the sources") include computing resources that can generate data (e.g., log data) or are the basis from which data can be generated (e.g., measured performance). The data from these sources can be transferred to the data intake and query system 12 over the network 14.”;Par. 97 – “The SPLUNK.RTM. ENTERPRISE system is the leading platform for providing real-time operational intelligence that enables organizations to collect, index, and search machine-generated data from … mobile devices that power their businesses.";  Par. 112-“ Client devices 28 of FIG. 3 represent any computing device capable of interacting with one or more host devices 30 via a network (connected or wireless); Par. 122-123-“ In an embodiment, the monitoring component 40 may also monitor and collect performance data related to one or more aspects of the operational state of a client application 38 and/or client device 28. For example, a monitoring component 40 may be configured to collect device performance information by monitoring one or more client device…In an embodiment, the monitoring component 40 may also monitor and collect other device profile information including, for example, a type of client device, a manufacturer and model of the device, versions of various software applications installed on the device, and so forth.” “Par. 310-" The ingested metrics data can be distinguished over non-metrics data because metrics data has unique properties that are different from other types of data. For example, the source values of metrics map to metric names indicative of a type of measurement and computing resource.”)
executing the metric logic … in the metric database table against a device datastore that contains operational data of a plurality of electronic devices to extract metric data related to the type of the subunit, wherein the plurality of electronic devices includes subunits of different classes and of different types within each class ; (Kharisma Par. 103-“ As noted above, the SPLUNK.RTM. ENTERPRISE system utilizes a late-binding schema to event data while performing queries on events. One aspect of a late-binding schema is applying "extraction rules" to event data to extract values for specific fields during search time. More specifically, the extraction rules for a field can include one or more instructions that specify how to extract a value for the field from the event data. An extraction rule can generally include any type of instruction for extracting values from data in events. In some cases, an extraction rule comprises a regular expression where a sequence of characters forms a search pattern, in which case the rule is referred to as a "regex rule."; Par. 105-“In some embodiments, a common field name may be used to reference two or more fields containing equivalent data items, even though the fields may be associated with different types of events that possibly have different data formats and different extraction rules. By enabling a common field name to be used to identify equivalent fields from different types of events generated by disparate data sources, the system facilitates use of a “common information model” (CIM) across the disparate data sources (further discussed with respect to FIG. 7).”[By utilizing a common field name the system generates data for by class for multiple subunits]; Par. 112-“ Client devices 28 of FIG. 3 represent any computing device capable of interacting with one or more host devices 30 via a network (connected or wireless); Par. 122-123-“ In an embodiment, the monitoring component 40 may also monitor and collect performance data related to one or more aspects of the operational state of a client application 38 and/or client device 28. For example, a monitoring component 40 may be configured to collect device performance information by monitoring one or more client device…In an embodiment, the monitoring component 40 may also monitor and collect other device profile information including, for example, a type of client device, a manufacturer and model of the device, versions of various software applications installed on the device, and so forth.” ;Par. 123-“In an embodiment, the monitoring component 40 may also monitor and collect other device profile information including, for example, a type of client device, a manufacturer and model of the device [model equates to class], versions of various software applications installed on the device, and so forth.”)
outputting extracted metric data in association with the metric key to an incident datastore in association with a class of the subunit; (Kharisma Par. 123-“In an embodiment, the monitoring component 40 may also monitor and collect other device profile information including, for example, a type of client device, a manufacturer and model of the device [model equates to class], versions of various software applications installed on the device, and so forth.”; Par. 210-"These visualizations can also include an “incident review dashboard” that enables a user to view and act on “notable events.” These notable events can include: (1) a single event of high importance, such as any activity from a known web attacker; or (2) multiple events that collectively warrant review, such as a large number of authentication failures on a host followed by a successful authentication.; Par. 128-“In an embodiment, a forwarder 42 may comprise a service accessible to client devices 28 and host devices 30 via a network 34. For example, one type of forwarder 42 may be capable of consuming vast amounts of real-time data from a potentially large number of client devices 28 and/or host devices 30.”) 
and initiating display of an indication of the extracted metric data in conjunction with the metric descriptor at an incident user interface to describe an incident related to an operation of the class of the subunit among the plurality of electronic devices, wherein the metric descriptor corresponds to the class of the subunit and is generic to different types of the subunit within the class  (Kharisma Par. 123-“In an embodiment, the monitoring component 40 may also monitor and collect other device profile information including, for example, a type of client device, a manufacturer and model of the device [model equates to class], versions of various software applications installed on the device, and so forth.”; Par. 169-170- FIG. 15 illustrates an example data model object selection graphical user interface 90 that displays available data objects 92 for the selected data object model 88. The user may select one of the displayed data model objects 94 for use in driving the report generation process. “; Par. 210-"These visualizations can also include an “incident review dashboard” that enables a user to view and act on “notable events.” These notable events can include: (1) a single event of high importance, such as any activity from a known web attacker; or (2) multiple events that collectively warrant review, such as a large number of authentication failures on a host followed by a successful authentication.; Par. 105-“ In some embodiments, a common field name may be used to reference two or more fields containing equivalent data items, even though the fields may be associated with different types of events that possibly have different data formats and different extraction rules. By enabling a common field name to be used to identify equivalent fields from different types of events generated by disparate data sources, the system facilitates use of a “common information model” (CIM) across the disparate data sources (further discussed with respect to FIG. 7).”[By utilizing a common field name the system generates data for by class for multiple subunits]”)
Kharisma teaches database storage (Kharisma See Figure 4) and the following feature is expounded by Jampa:
…the metric logic being stored in the metric database table “as an executable query expression… the executable query expression being in a structured query language” …(Jampa Section 2.2.3 Handling Expressions (Pgs. 8-9) states "Expressions must adhere to the SQL WHERE clause format. ... Expressions are stored in a column of a user table with an Expression datatype. The values stored in a column of this type are constrained to be Expressions. A user table can have one or more Expression type columns." Section 2.2.2- Evaluation of Expression; Section 3.3.1- Algorithm-“Here two tables are used, one for storing Predicates and the other is for storing Expressions. The output of an input data-item to be evaluated would be the Expression-id’s of the Expression table that are evaluated to True”)
…by directly executing the executable query expression as stored in the structured query language “ … (Jampa Section 2.2.3 Handling Expressions (Pgs. 8-9) states "Expressions must adhere to the SQL WHERE clause format. ... Expressions are stored in a column of a user table with an Expression datatype. The values stored in a column of this type are constrained to be Expressions. A user table can have one or more Expression type columns." Section 2.2.2- Evaluation of Expression; Section 3.3.1- Algorithm-“Here two tables are used, one for storing Predicates and the other is for storing Expressions. The output of an input data-item to be evaluated would be the Expression-id’s of the Expression table that are evaluated to True”)
Kharisma is directed to a monitoring systems with the use of query language and database infrastructure.  Jampa improves upon the database infrastructure.  It would 
Regarding Claim 11, Kharisma in view of Jampa teach the method of claim 9,…
Kharisma teaches
further comprising timestamping the extracted metric data and accumulating timestamped extracted metric data at the incident datastore. (Kharisma Par. 141 – “At step 518, the indexer stores the events with an associated timestamp in a data store 48. Timestamps enable a user to search for events based on a time range. In one embodiment, the stored events are organized into “buckets,” where each bucket stores events associated with a specific time range based on the timestamps associated with each event. This may not only improve time-based searching, but also allows for events with recent timestamps, which may have a higher likelihood of being accessed, to be stored in a faster memory to facilitate faster retrieval. For example, buckets containing the most recent events can be stored in flash memory rather than on a hard disk.”)
Regarding Claim 12,  Kharisma in view of Jampa teach the method of claim 11,…
Kharisma teaches
further comprising mapping extracted metric data to a time scale to obtain a metric and initiating display of the metric at the incident user interface. (Kharisma Par. 218- “The SPLUNK.RTM. APP FOR VMWARE.RTM. also provides a user interface that enables a user to select a specific time range and then view heterogeneous data comprising events, log data, and associated performance metrics for the selected time range.”; Par. 256 – “SPLUNK.RTM. IT SERVICE INTELLIGENCE.TM. provides a visualization for incident review showing detailed information for notable events. The incident review visualization may also show summary information for the notable events over a time frame, such as an indication of the number of notable events at each of a number of severity levels. The severity level display may be presented as a rainbow chart with the warmest color associated with the highest severity classification. The incident review visualization may also show summary information for the notable events over a time frame, such as the number of notable events occurring within segments of the time frame. The incident review visualization may display a list of notable events within the time frame ordered by any number of factors, such as time or severity.”)

Regarding Claim 14, 
Kharisma in view of Jampa teach the method of claim 11, wherein executing the metric logic against the device datastore  as stated in Claim 9 above.
Kharisma teaches
comprises executing a structured query language query against a database table containing the operational data. (Kharisma Par. 149 – “The search head 50 allows users to search and visualize event data extracted from raw machine data received from homogenous data sources. It also allows users to search and visualize event data extracted from raw machine data received from heterogeneous data sources. ... Other query languages, such as the Structured Query Language (“SQL”), can be used to create a query.”)
Regarding Claim 15, 
Kharisma teaches
A system comprising: an incident datastore; and a processor to obtain metric logic from a metric database table… that references a type of a subunit of an electronic device, the processor  to execute  … of the metric logic as stored in the structured query language in the metric database table against a device datastore that stores operational data of a plurality of electronic devices that includes subunits of different classes and of different types within each class; (Kharisma Figure 4- illustrates multiple data stores (i.e. incident datastore, device datastore, etc.; Par. 81-“ FIG. 1 is a high-level system diagram in which an embodiment may be implemented. The system 10 includes data intake and query system 12 interconnected to various components over a network 14. The components include a source 16 of metrics data, another source 18 of non-metrics data, and another source 20 of both metrics and non-metrics data. The sources 16, 18, and/or 20 ("the sources") include computing resources that can generate data (e.g., log data) or are the basis from which data can be generated (e.g., measured performance). The data from these sources can be transferred to the data intake and query system 12 over the network 14.”;Par. 97 – “The SPLUNK.RTM. ENTERPRISE system is the leading platform for providing real-time operational intelligence that enables organizations to collect, index, and search machine-generated data from … mobile devices that power their businesses.";  Par. 112-“ Client devices 28 of FIG. 3 represent any computing device capable of interacting with one or more host devices 30 via a network (connected or wireless); Par. 122-123-“ In an embodiment, the monitoring component 40 may also monitor and collect performance data related to one or more aspects of the operational state of a client application 38 and/or client device 28. For example, a monitoring component 40 may be configured to collect device performance information by monitoring one or more client device…In an embodiment, the monitoring component 40 may also monitor and collect other device profile information including, for example, a type of client device, a manufacturer and model of the device, versions of various software applications installed on the device, and so forth.” “Par. 310-" The ingested metrics data can be distinguished over non-metrics data because metrics data has unique properties that are different from other types of data. For example, the source values of metrics map to metric names indicative of a type of measurement and computing resource.”)
 the metric logic to extract metric data related to the type of the subunit from the device datastore, (Kharisma Par. 90-“ data intake and query system can obtain the metrics data from the sources over the network 14 via a variety of mechanism, which are described in greater detail below. However, existing data intake and query To speed up certain types of metrics queries, acceleration tables that contain metrics data and/or data related to the metrics data can be created from earlier search queries based on msidx files. FIG. 58 includes an example of an acceleration table 410. The mechanism that creates the acceleration table 410 can be initiated automatically or manually by a user per search, and/or per bucket.” Par. 107-“For example, the one or more computing devices may include one or more memories that store instructions for implementing the various components described herein, one or more hardware processors configured to execute the instructions stored in the one or more memories, and various data repositories in the one or more memories for storing data structures utilized and manipulated by the various components.”;)
the processor to output extracted metric data to the incident datastore in association with a metric descriptor that corresponds to the class of the subunit and is generic to different types of the subunit within the class  (Kharisma Par. 105-“ In some embodiments, a common field name may be used to reference two or more fields containing equivalent data items, even though the fields may be associated with different types of events that possibly have different data formats and different extraction rules. By enabling a common field name to be used to identify equivalent fields from different types of events generated by disparate data sources, the system facilitates use of a “common information model” (CIM) across the disparate data sources (further discussed with respect to FIG. 7).”[By Par. 123-“In an embodiment, the monitoring component 40 may also monitor and collect other device profile information including, for example, a type of client device, a manufacturer and model of the device [model equates to class], versions of various software applications installed on the device, and so forth.”; Par. 210-"These visualizations can also include an “incident review dashboard” that enables a user to view and act on “notable events.” These notable events can include: (1) a single event of high importance, such as any activity from a known web attacker; or (2) multiple events that collectively warrant review, such as a large number of authentication failures on a host followed by a successful authentication.; Par. 128-“In an embodiment, a forwarder 42 may comprise a service accessible to client devices 28 and host devices 30 via a network 34. For example, one type of forwarder 42 may be capable of consuming vast amounts of real-time data from a potentially large number of client devices 28 and/or host devices 30.”) 
the incident datastore containing an incident database table to store the extracted metric data and to monitor for incidents related to operations of the class of the subunit among the plurality of electronic devices (Kharisma Par. 123-“In an embodiment, the monitoring component 40 may also monitor and collect other device profile information including, for example, a type of client device, a manufacturer and model of the device [model equates to class], versions of various software applications installed on the device, and so forth.”; Par. 169-170- FIG. 15 illustrates an example data model object selection graphical user interface 90 that displays available data objects 92 for the selected data object model 88. The user may select one of the displayed data model objects 94 for use in driving the report generation process. “; Par. 210-"These visualizations can also include an “incident review dashboard” that enables a user to view and act on “notable events.” These notable events can include: (1) a single event of high importance, such as any activity from a known web attacker; or (2) multiple events that collectively warrant review, such as a large number of authentication failures on a host followed by a successful authentication.; Par. 128-“In an embodiment, a forwarder 42 may comprise a service accessible to client devices 28 and host devices 30 via a network 34. For example, one type of forwarder 42 may be capable of consuming vast amounts of real-time data from a potentially large number of client devices 28 and/or host devices 30.”)  
Kharisma teaches database storage (Kharisma See Figure) and the following feature is expounded by Jampa:
…”as an executable query expression” … “the executable query expression being in a structured query language,” …(Jampa Section 2.2.3 Handling Expressions (Pgs. 8-9) states "Expressions must adhere to the SQL WHERE clause format. ... Expressions are stored in a column of a user table with an Expression datatype. The values stored in a column of this type are constrained to be Expressions. A user table can have one or more Expression type columns." Section 2.2.2- Evaluation of Expression; Section 3.3.1- Algorithm-“Here two tables are used, one for storing Predicates and the other is for storing Expressions. The output of an input data-item to be evaluated would be the Expression-id’s of the Expression table that are evaluated to True”)
the processor to execute “the executable query expression” of the metric logic (Jampa Section 2.2.3 Handling Expressions (Pgs. 8-9) states "Expressions must adhere to the SQL WHERE clause format. ... Expressions are stored in a column of a user table with an Expression datatype. The values stored in a column of this type are constrained to be Expressions. A user table can have one or more Expression type columns." Section 2.2.2- Evaluation of Expression; Section 3.3.1- Algorithm-“Here two tables are used, one for storing Predicates and the other is for storing Expressions. The output of an input data-item to be evaluated would be the Expression-id’s of the Expression table that are evaluated to True”)
Kharisma is directed to a monitoring systems with the use of query language and database infrastructure.  Jampa improves upon the database infrastructure.  It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Kharisma to utilize query expressions, as taught by Jampa, with a reasonable expectation of success of arriving at the claimed invention. One of ordinary skill in the art would have been motivated to make the modification to the teachings of Kharisma with the motivation more powerful model of storing and handling expressions. (Jampa Conclusion).
 Regarding Claim 16, 
Kharisma in view of Jampa teach the system of claim 15…,
wherein the metric logic includes an expression to query the device datastore and to insert the extracted metric data into the incident database table (Kharisma Figure 4- illustrates multiple data stores (i.e. incident datastore, device datastore, etc.; Par. 149 – “The search head 50 allows users to search and visualize event data extracted from raw machine data received from homogenous data sources. It also allows users to search and visualize event data extracted from raw machine data received from heterogeneous data sources. ... Other query languages, such as the Structured Query Language (“SQL”), can be used to create a query.””).
Regarding Claim 17, Kharisma in view of Jampa teach the system of claim 15…
wherein the metric logic is to extract metric data from the device datastore irrespective of a condition expressed in the metric logic. (Kharisma. Par. 104-“ In the SPLUNK.RTM. ENTERPRISE system, a field extractor may be configured to automatically generate extraction rules for certain field values or for a group of common field values (e.g., CPU metric from different sources Amazon Web Services, Google Cloud Platform, Linux OS) in the events, when the events are being created, indexed, or stored, or possibly at a later time. Alternatively, a user may manually define extraction rules for fields or a group of fields using a variety of techniques. In contrast to a conventional schema for a database system, a late-binding schema is not defined at data ingestion time. Instead, the late-binding schema can be developed on an ongoing basis until the time a query is actually executed. This means that extraction rules for the fields in a query may be provided in the query itself, or may be located during execution of the query. Hence, as a user learns more about the data in the events, the user can continue to refine the late-binding schema by adding new fields, deleting fields, or modifying the field extraction rules for use the next time the schema is used by the system. Because the SPLUNK.RTM. ENTERPRISE system maintains the underlying raw data and uses late-binding schema for searching the raw data, it enables a user to continue investigating and learning valuable insights about the raw data.”; Par. 535)
he system of claim 15…
wherein the metric logic is to extract metric data only for operational data that meets a condition expressed in the metric logic. (Kharisma -Par. 535-“ In some embodiments, the query may specify a desired correlation operation between metrics and non-metrics data. For example, in step 5912, the data intake and query system can extract field values from time-indexed events that also satisfy search criteria and correlate the extracted field values and the metrics query results to obtain correlation results. Then, in step 5914, the query results (or correlation results) or data indicative of the query results (or correlation results) can be displayed on a display device.”)
Regarding Claim 19, Kharisma in view of Jampa teach the system of claim 15,…
wherein the operation data includes data from a measurement taken at the plurality of electronic devices, and wherein the metric logic defines a metric based on a comparison of a measurement to a condition. (Kharisma- Par. 535- “In some embodiments, the query may specify a desired correlation operation between metrics and non-metrics data. For example, in step 5912, the data intake and query system can extract field values from time-indexed events that also satisfy search criteria and correlate the extracted field values and the metrics query results to obtain correlation results. Then, in step 5914, the query results (or correlation results) or data indicative of the query results (or correlation results) can be displayed on a display device.”
Regarding Claim 20, Kharisma in view of Jampa teach the system of claim 15,…
Kharisma teaches 
wherein the metric logic is to accumulate metric data at the incident datastore over time, and wherein the processor is further to define a time-based metric from accumulated metric data (Kharisma- Par. 286-287- “This capability enables implementing metric key performance indicators (MKPIs).; MKPIs are defined for a service within an MITSI application. Each MKPI measures an aspect of service performance at a point in time or over a period of time. Each MKPI is defined by a search query that derives a MKPI value from the metrics data associated with the entities that provide the service. Information in the entity definitions may be used to identify the appropriate metrics at the time a MKPI is defined or whenever a MKPI value is determined. The MKPI values derived over time may be stored to build a repository of current and historical performance information for the service, and the repository itself may be subject to search query processing. Aggregate MKPIs may be defined to provide a measure of service performance calculated from a set of MKPI values; this aggregate may be taken across defined timeframes and/or multiple services.; Par. 326-“ In some embodiments, metrics can be generated from ingested time-indexed events that include raw data. Specifically, raw data received by the data intake and query system is processed to create events that are time-indexed and stored as detailed above.; Par. 327 Specifically, ingested raw data can be processed into metrics having an n-tuple of elements including a timestamp, a metric name, a measured numerical value, and many other dimensions as represented in FIG. 22. For example, log data can be stored as time-indexed events and then processed to extract field values used to populate metric dimensions. In some embodiments, the extracted field values from time-indexed events can be incorporated into metrics that have the same format as the structured metrics collected from remote sources. By processing the structured metrics and/or raw data to obtain metrics having the same specified format, resulting metrics can be correlated to obtain new insights about, for example, the performance of computing resources. “
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Kharisma et al., US Publication No. 20180089188A1 [hereinafter Kharisma], in view of R. Jampa, Storing and Indexing Expressions in Database Systems, University of New Orleans, January 20, 2006 [hereinafter Jampa], and in further view of Anderson et al., US Publication No US 20130124669A1 [hereinafter Anderson] .
Regarding Claim 8, Kharisma in view of Jampa teach the system of claim 1…
Kharisma in view of Jampa fail to teach the following feature taught by Anderson:
further comprising the plurality of electronic devices as managed electronic devices in a Device-as-a-Service system. (Anderson -Par. 37-“ For example, other embodiments may include multiple analytics-platform computing systems 12, a single or many more monitoring computing instances 26, a single or many more monitored computing systems 14, 16, and 18, a single or many more monitored computing instances 28 within each of the monitored computing systems 14, 16, and 18, more than one collector 30 within each monitored computing instance 28, and zero, one, or many more than one client devices 20, 22, and 24 each associated with one of the monitored computing system 14, 16, and 18. "; Par. 94-"FIG. 7 illustrates details of an embodiment of the analytics-platform computing system 12 introduced in FIG. 1. In some embodiments, the analytics-platform computing system 12 is a scalable cloud-based computer system management program capable of providing computer system management as a service to a plurality of accounts each having computer systems with a plurality of monitored computing instances.”)
Kharisma and Anderson are directed to database storing. It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Kharisma in view of Jampa to utilize a datastore for managed devices, as taught by Anderson, with a reasonable expectation of success of arriving at the claimed invention. One of ordinary skill in the art would have been motivated to make the modification to the teachings of Kharisma in view of Jampa with the motivation to monitor data indicative of performance with sufficient granularity (Anderson Par. 6).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: US Patent Publication No. US 20190097909A1 to Puri – Abstract- “Information technology environment monitoring systems, for example, perform analytics over machine data received from networked entities. Outputs of such a system may be useful to help a user identify a problem and resolve an incident. Inventive aspects enable user interactions to trigger automatic connection with network servers to establish communication channels for conveying analytics and other information related to the problem between and among network nodes participating in the resolution of the problem or incident.”
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Chesiree Walton, whose telephone number is (571) 
	Another resource that is available to applicants is the Patent Application Information Retrieval (PAIR). Information regarding the status of an application can be obtained from the (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAX. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, please feel free to contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
	Applicants are invited to contact the Office to schedule an in-person interview to discuss and resolve the issues set forth in this Office Action.  Although an interview is not required, the Office believes that an interview can be of use to resolve any issues related to a patent application in an efficient and prompt manner.

Sincerely,
/CHESIREE A WALTON/Examiner, Art Unit 3624