Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over US 20190146763 A1 Gould; Joel (hereinafter Gould) in view of US 20200104110 A1; Singh; Manbinder Pal (hereinafter Singh)
Regarding claim 15, Gould teaches A system, comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the system to: receive records of activity within a stream-processing system over a set of event streams (Gould [0002] The present description relates to computer-implemented methods, data processing systems and machine-readable hardware storage devices for generating key-specific logs from execution of executable logic that is currently applied to one or more keyed data items in a stream of data items, e.g., data items coming in via a network connection from networked applications. [0003] A log records either events that occur in an operating system or other software runs, or messages between wherein each event stream in the set of event streams contains events related to a corresponding job in the stream-processing system; (Gould [0128] Environment 100 includes audit file processor module 114, which includes a graph that processes raw information (i.e., audit files stored in database 112) and re-formats the raw information into a format for an ICFF. In this example, database 112 transmits the audit files to audit file processor module 114 for re-formatting. In turn, audit file processor module 114 transmits the re-formatted files to database 116, which writes a re-formatted file into an ICFF record 116a; indexed (in index 116) by one or more key fields (e.g., subject ID) and consolidated by time (e.g., hourly or daily). In this example, ICFF record 116a references (e.g., via a pointer or another referencing data structure) block of data 116c. In this example, while portions of the raw information are reformatted for ICFF record 116a (which is then indexed in index 116b) other portions of the raw information are stored in block of data[0131] In some examples, database 116 includes a relational database, rather than an ICFF, as the goal of implementation of database 116 is to be able to query for sequences of events. To do so, the sytem transforms the stream of audit records into one or more records (e.g., ICFF records). Each record includes one or more index data in the records under a set of keys comprising a first key related to jobs in the stream-processing system (Gould   [0031] In a general aspect 28, described is a data processing system for identifying one or more portions of executable logic that are executed in processing one or more data items that are each associated with a given value of a key, wherein a specification represents the executable logic, wherein the specification is associated with the key and wherein states of the specification are maintained for respective values of the key, the data processing system including one or more processing devices; and one or more machine-readable hardware storage devices storing instructions that are executable by the one or more processing devices to perform operations including: ...[0128] Environment 100 includes audit file processor module 114, which includes a graph that processes raw information (i.e., audit files stored in database 112) and re-formats the raw information into a format for an ICFF. In this example, database 112 transmits the audit files to audit file processor module 114 for re-formatting. In turn, audit file processor module 114 transmits the re-formatted files to database 116, which writes a re-formatted file into an ICFF record 116a; indexed (in index 116) by one or more key fields (e.g., subject ID) and consolidated by time (e.g., hourly or daily). In this example, ICFF record 116a references (e.g., via a pointer or another referencing data structure) block of data 116c. In this example, while portions of the raw information are reformatted for ICFF record 116a (which is then indexed in index 116b) other portions of the raw information are stored in block of data[0131] In some and a second key related to errors in the stream-processing system; (Gould [0138] Event engine 102 creates multiple different types of audit records to store in an ICFF in database 116. The below Table 1 specifies the different types of audit records, with their corresponding fields. Some of the below audit record types are optional depending on the level of logging. In this example, an ICFF stores a list of fields, corresponding the fields shown in the below Table 1, e.g., for use in generating the key fields of the ICFF record--as described above. Values for fields that are italicized in the below Table 1 are not generated by the event engine 102...When the event engine reads either a shared variable subject.sub.--id, or a chart instance variable. instance.sub.--id, variable_name, variable_value Monitoring timestamp, P Each monitoring point (which are associated with point subject.sub.--id, * links) has a condition and an expression. The event instance.sub.--id, engine generates an audit record only when the point_name, condition is true and computes the expression and point_value records the resulting value. Error dispatch timestamp, + This audit record type indicates that an error subject.sub.--id, occurred while executing the chart. instance.sub.--id, error_message, not_handled [144] The and output the indexed data (Gould [FIG.4] shows the system with the output abilities of the indexed [134]  Environment 100 also includes batch graph module 122 that is run "as needed" to compute metrics (such as one or more states prevailing in system 100) for display, e.g., in user interface 124. In this example, batch graph module 122 accesses metrics from metrics database 120 and/or from database 116 and processes those accessed metrics for display in user interface 124. In this example, the graph generated or executed by batch graph module 118 has no persistent state and a metric state is persisted in metrics database 120. As such, match graph module 120 queries metrics database 120 for metrics for display in user interface 122. In an example, various types of user interfaces are displayed, including, e.g., a dynamic display of metrics, reports on metrics and an investigation interface, each of which are described below: ... [135-136] further elaborate on the user interface for outputting the data)								Gould lacks explicitly teaching wherein each value of the second key is generated based on an error type of an error and a stack trace associated with the error; 												wherein each value of the second key is generated based on an error type of an error and a stack trace associated with the error; (Singh [0041] Once the stack trace is generated by the operating system 208 of the end user computer 102, the error/exception handler 214 logs or otherwise writes the stack trace to the error/exception log file 216, and the signature module 218 generates a unique signature (e.g., a digital signature, a hash signature) based on the logged stack trace information. It is noted that the signature module 218 can employ any suitable technique for generating the unique signature, [0055] Having described the foregoing illustrative embodiments, other alternative embodiments and/or variations may be made and/or practiced. For example, it was described herein that, once an exception is thrown within an application program, the operating system of an end user computer could automatically generate a stack trace, and that a signature module running on the end user computer could generate a unique signature based on the stack trace information. In an alternative embodiment, the signature module can be configured to generate a unique signature based on certain unstructured descriptive information pertaining to an error or exceptional event, unstructured information contained in a snapshot on a display screen at the time of the error or exceptional event, and/or any other suitable structured and/or unstructured information or artifacts pertaining to the error or exceptional event. In a further alternative embodiment, multiple signature modules can be provided that employ different techniques for generating unique signatures based on different types of errors or exceptional events experienced during execution of the application program, and/or different versions of the application program or program 
Regarding claim 19, the combination of Gould and Singh teach The system of claim 15, wherein the records of activity comprise at least one of: a job name; a job identifier (ID); a container name; a container ID; a source version; a host name; a timestamp; an offset; and an error. ( Gould [0132] In some examples, a level of granularity of a record is one event for one subscriber (e.g., user) for one chart. As such, the system described herein extracts (e.g., from audit files in database 112) a sequence of audit records that corresponds to one event for one subscriber for one chart. This example, the events occur sequentially. Additionally, the audit records for each event are stored sequentially in database 112 (e.g., in a file in database 112). Using the extracted audit records, the system generates a record that has a multiple key fields, e.g., including, an event type field, a subscriber ID field, a timestamp field, a chart instance ID field, and so forth. In some example, a first audit record in the sequence includes values for these multiple key fields. The 
Claims 1,2,3,10,11,13,14, 16 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Gould in view of US 20100046393 A1; Knapp; Stephen et al. (hereinafter Knapp), US 20140067772 A1; Sabbouh; Marwan et al. (hereinafter Sabbouh) and US 20200295879 A1 JAS; Frank (hereinafter Jas)
Regarding claim 1, Gould teaches a method, comprising: receiving, by one or more computer systems, records of activity within a stream-processing system over a set of event streams; (Gould [0002] The present description relates to computer-implemented methods, data processing systems and machine-readable hardware storage devices for generating key-specific logs from execution of executable logic that is currently applied to one or more keyed data items in a stream of data items, e.g., data items coming in via a network connection from networked applications. [0003] A log records either events that occur in an operating system or other software runs, or messages between different users of a communication software. [0022] the method further includes: generating a stream of log records documenting paths taken through the chart; transforming the generated indexing, by the one or more computer systems, data in the records under a set of keys comprising a first key related to jobs in the stream- processing system (Gould   [0031] In a general aspect 28, described is a data processing system for identifying one or more portions of executable logic that are executed in processing one or more data items that are each associated with a given value of a key, wherein a specification represents the executable logic, wherein the specification is associated with the key and wherein states of the specification are maintained for respective values of the key, the data processing system including one or more processing devices; and one or more machine-readable hardware storage devices storing instructions that are executable by the one or more processing devices to perform operations including: ...[0128] Environment 100 includes audit file processor module 114, which includes a graph that processes raw information (i.e., audit files stored in database 112) and re-formats the raw information into a format for an ICFF. In this example, database 112 transmits the audit files to audit file processor module 114 for re-formatting. In turn, audit file processor module 114 transmits the re-formatted files to database 116, which writes a re-formatted file into an ICFF record 116a; indexed (in index 116) by one or more key fields (e.g., subject ID) and consolidated by time (e.g., hourly or daily). In this example, ICFF record 116a references (e.g., via a pointer or another referencing and a second key related to errors in the stream-processing system (Gould [0138] Event engine 102 creates multiple different types of audit records to store in an ICFF in database 116. The below Table 1 specifies the different types of audit records, with their corresponding fields. Some of the below audit record types are optional depending on the level of logging. In this example, an ICFF stores a list of fields, corresponding the fields shown in the below Table 1, e.g., for use in generating the key fields of the ICFF record--as described above. Values for fields that are italicized in the below Table 1 are not generated by the event engine 102...When the event engine reads either a shared variable subject.sub.--id, or a chart instance variable. instance.sub.--id, variable_name, variable_value Monitoring timestamp, P Each monitoring point (which are associated with point subject.sub.--id, * links) has a condition and an expression. The event instance.sub.--id, engine generates an audit record only when the point_name, condition is true and computes storing, in the indexed data, a mapping of the first key value to fields that comprise an … timestamp that is set to a first timestamp in the first record; (Gould  [0129] In some example, the audit records and/or audit files are reformatted for the ICFF by batching audit records together at a specified granularity (e.g., one event for one subscriber for one chart), computing key fields that will be stored on an ICFF record (e.g., fields for event type, subscriber ID, timestamp, chart instance ID, etc.) and then grouping the remaining audit records together in a collection, as follows: [132] the audit records for each event are stored sequentially in database 112 (e.g., in a file in database 112). Using the extracted audit records, the system generates a record that has a multiple key fields, e.g., including, an event type field, a subscriber ID field, a timestamp field, a chart instance ID field, and so forth. In some example, a first audit record in the sequence includes values for these multiple key fields. The system uses these included values in generating the new record. Additionally, the system constructs a block of data corresponding to remaining audit and outputting the indexed data (Gould [FIG.4] shows the system with the output abilities of the indexed [134]  Environment 100 also includes batch graph module 122 that is run "as needed" to compute metrics (such as one or more states prevailing in system 100) for display, e.g., in user interface 124. In this example, batch graph module 122 accesses metrics from metrics database 120 and/or from database 116 and processes those accessed metrics for display in user interface 124. In this example, the graph generated or executed by batch graph module 118 has no persistent state and a metric state is persisted in metrics database 120. As such, match graph module 120 queries metrics database 120 for metrics for display in user interface 122. In an example, various types of user interfaces are displayed, including, e.g., a dynamic display of metrics, reports on metrics and an investigation wherein indexing the data in the records comprises: when a first record received over the set of event streams produces a first key value in the set of keys that is not found in the indexed data, (Sabbouh [0099] In an instance in which there is a data conflict between the master storage 92 and the text index 93, the index manager 72 may use the metadata associated with a service key or user key of the master storage 93 to recover the metadata missing from the text index 93 and may rewrite the metadata (e.g., the missing metadata) to the text index 93, as described more fully below. To detect whether there is a data discrepancy between the master storage 92 and the text index 93, the index manager 72 may analyze the metadata in the text index 93 and the metadata that is available in the service key or user key of the master storage 92. In an instance in which, the index manager 72 determines that the service key or user key stored in the master storage 92 has metadata that is not in the text index 93, the index manager 72 may rewrite the metadata (e.g., version information (e.g., a version number), timestamp information (e.g., a creation date, a creation time), an author or originator of a document(s), etc.) associated with the service key or user key again to the text index 93 )											Therefore, it would have been obvious to one of ordinary skill in the art before the  for each subsequent record received over the set of event streams that produces a second key value that is identical to the first key value, setting a latest timestamp in the fields to a second timestamp in the subsequent record; (Knapp [0063] If the first cache entry is not empty, headercap 202 determines 254 if the current packet's CRC matches the first cache entry's CRC. If it matches, then the current packet header is considered to be of like-kind to the packet header(s) represented by this cache entry, so the counter is incremented 256, the length is increased by the size of the packet header, and the latest packet header timestamp is updated with the timestamp of the current packet header. Before this happens, the packet counter is checked 258 for an overflow condition. If incrementing the counter would cause an overflow, the cache entry is written 260 to disk, the count and length are set to 0, the first packet header timestamp is set, and the IP packet length is set. Average packet lengths of up to 65537 are supported in this implementation, so no check is required for packet length overflows, thereby saving approximately one CPU cycle per packet.   [0067] The cache is used to count like-kind packets. Since each packet is associated with a count, total length, and multiple timestamps, a side channel was required to convey this information for each packet header in the pcap file. Headercap stores these values in the data portion of the packet. Specifically, the count, length, and first packet timestamp are stored in the data portion. The latest IP packet timestamp is stored in the field of the pcap data structure that records the time the IP packet was seen on the wire [0130] determine the sites subscribing to the group, a first and last time stamp observed for these packets within the desired time interval, and a total number of bytes represented by this header to determine bandwidth used  [FIG.7 & FIG. 13] further elaborate and show a visual of the records and corresponding the use of a earliest timestamp; storing, in the indexed data, a mapping of the first key value to fields that comprise an earliest timestamp; wherein the fields, in the mapping of the first key value to the fields, include a plurality of timestamps that includes the earliest timestamp and the latest timestamp; (Jas [0002]  a method may include receiving an event entry of an event stream, wherein the event entry is representative of an event associated with an attribute; generating, using a lookup table, an event record based on the event entry, wherein the lookup table includes a mapping of the attribute to a first context value, and wherein the event record indicates that the first context value is associated with the event; storing the event record in an event record data structure; logging, in the mapping of the lookup table, a first timestamp associated with the attribute, wherein the first timestamp is included in the event entry; receiving a context entry of a context stream, wherein the context entry indicates that the attribute is associated with a second context value that is different from the first context value; determining, based on the first context value being different from the second context value, whether a second timestamp, of the context entry, is before the first timestamp; and performing an action based on whether the second timestamp is before the first timestamp. [0012] the network device may include a telemetry data analyzer that detects likely error records associated with 
Regarding claim 20, Gould teaches A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method, the method comprising: ( Gould [0095,187-193] show the computer readable medium capable of reading and executing instructions )		receiving records of activity within a stream-processing system over a set of event streams; (Gould [0002] The present description relates to computer-implemented methods, data processing systems and machine-readable hardware storage devices for generating key-specific logs from execution of executable logic indexing data in the records under a set of keys comprising a first key related to jobs in the stream-processing system, (Gould [0128] Environment 100 includes audit file processor module 114, which includes a graph that processes raw information (i.e., audit files stored in database 112) and re-formats the raw information into a format for an ICFF. In this example, database 112 transmits the audit files to audit file processor module 114 for re-formatting. In turn, audit file processor module 114 transmits the re-formatted files to database 116, which writes a re-formatted file into an ICFF record 116a; indexed (in index 116) by one or more key fields (e.g., subject ID) and consolidated by time (e.g., hourly or daily). In this example, ICFF record 116a references (e.g., via a pointer or another referencing data structure) block of data 116c. In this example, while portions of the raw information are reformatted for ICFF record 116a (which is then indexed in index 116b) other portions of the raw information are stored in block of data[0131] In some a second key related to errors in the stream- processing system and a third key related to containers in the stream-processing system, (Gould [0138] Event engine 102 creates multiple different types of audit records to store in an ICFF in database 116. The below Table 1 specifies the different types of audit records, with their corresponding fields. Some of the below audit record types are optional depending on the level of logging. In this example, an ICFF stores a list of fields, corresponding the fields shown in the below Table 1, e.g., for use in generating the key fields of the ICFF record--as described above. Values for fields that are italicized in the below Table 1 are not generated by the event engine 102...When the event engine reads either a shared variable subject.sub.--id, or a chart instance variable. instance.sub.--id, variable_name, variable_value Monitoring timestamp, P Each monitoring point (which are associated with point subject.sub.--id, * links) has a condition and an expression. The event instance.sub.--id, engine generates an audit record only when the point_name, condition is true and computes the expression and point_value records the resulting value. Error dispatch timestamp, + This audit record type indicates that an error subject.sub.--id, occurred while executing the chart. instance.sub.--id, error_message, not_handled [144] The core set of audit 
Regarding claim 2, the combination of Gould, Sabbouh, Jas and Knapp teach The method of claim 1, wherein indexing the data in the records under the set of keys further comprises: generating a value of the first key based on a job identifier (ID) of a job in the stream-processing system and an instance ID of an instance of the job. (Gould [0132] In some examples, a level of granularity of a record is one event for one subscriber (e.g., user) for one chart. As such, the system described herein extracts (e.g., from audit files in database 112) a sequence of audit records that corresponds to one event for one subscriber for one chart. This example, the events occur sequentially. Additionally, the audit records for each event are stored sequentially in database 112 (e.g., in a file in database 112). Using the extracted audit records, the system generates a record that has a multiple key fields, e.g., including, an event type field, a subscriber ID field, a timestamp field, a chart instance ID field, and so forth. In some example, a first audit record in the sequence includes values for these multiple key fields. The system uses these included values in generating the new record. Additionally, the system constructs a block of data corresponding to remaining audit records for that sequence. The 
Regarding claim 3, the combination of Gould, Sabbouh, Jas and Knapp teach The method of claim 2, wherein indexing the data in the records under the set of keys further comprises: mapping the value of the first key to the earliest timestamp, the latest timestamp, a health metric for the job, container IDs for containers associated with the job, and job attributes of the job. (Gould [0108] Referring to FIG. 2E, diagram 29e illustrates a starting state of flowchart 32 in which an audit record is generated upon execution of start node 32a. In particular, start node 32a represents a data processing component that is configured to generate audit record 32i, e.g., when flowchart 32 is in a state in which start node 32a is being executed--as shown in this example. Generally, an audit record (or also called "log record") includes a data item (e.g., a structured item of data) that specifies a node that is traversed (and/or a data processing component that is executed) in processing a data record or an event and one or more attributes of processing the data record or event...[0129-0130 & 0138-0142] further elaborate on the job/subject IDs and event types and corresponding timestamps  [0176] In this example, metrics database 120 can be queried for metrics that are indicative of a state of event engine 102--such as a total number of events processed by the event engine 102 (e.g., based on the event seen audit records), a number of events that resulted in an 
Regarding claim 10, the combination of Gould, Sabbouh, Jas and Knapp teach The method of claim 1, wherein indexing the data in the records under the set of keys further comprises: generating a value of a third key in the set of keys based on a container ID of a container in the stream-processing system; ( Gould [0132] In some examples, a level of granularity of a record is one event for one subscriber (e.g., user) for one chart. As such, the system described herein extracts (e.g., from audit files in database 112) a sequence of audit records that corresponds to one event for one subscriber for one chart. This example, the events occur sequentially. Additionally, the audit records for each event are stored sequentially in database 112 (e.g., in a file in database 112). Using the extracted audit records, the sytem generates a record that has a multiple key fields, e.g., including, an event type field, a subscriber ID field, a timestamp field, a chart instance ID field, and so forth. In some example, a first audit record in the sequence includes values for these multiple key fields. The system uses these included values and mapping the value of the third key to the earliest timestamp, the latest timestamp, a health metric, and task attributes of tasks in the container. (Gould [0108] Referring to FIG. 2E, diagram 29e illustrates a starting state of flowchart 32 in 
Regarding claim 11, the combination of Gould, Sabbouh, Jas and Knapp teach The method of claim 1, wherein indexing the data in the records under the set of keys further comprises: delete a subset of the indexed data with a value of the latest timestamp that is older than a threshold. (Knapp [0105] Normal traffic database entries that were added to the database more than a specified time interval ago are removed 416. In one embodiment, the predetermined period of time is at least six weeks. The removing 416 step is also part of the dynamic re-baselining step of the process. Network behaviors change over time, therefore removing the data older than a predetermined time limit allows for new average values to be automatically formed. )
Regarding claim 13, the combination of Gould, Sabbouh, Jas and Knapp teach The method of claim 1, wherein outputting the indexed data comprises: displaying, in a user interface, an attribute associated with the set of keys and one or more errors associated with the attribute. (Sabbouh  [0090] FIG. 5A shows a failure as a result of the publish UUID by user analytics. In particular, FIG. 5A shows a failure after operation 415 in which the version number was updated by n=m+1. Since the index manager 72 does not store any new information before the failure occurs, the index manager 72 may provide a timeout error to a display (e.g., display 85) that may be viewed by a user [0091] FIG. 5B shows a failure as after the service/user key is updated with the new metadata in operation 420. The example in FIG. 5B shows that while the version was incremented successfully as the value of the [service-name] key, the actual asset entry was not stored successfully in the master storage 92. In this regard, the index manager 72 may provide an indication of a timeout error to a display (e.g., display 85) to enable the user (e.g., a user named "Analytics") view the timeout error [0110] the index manager 72 may generate an 
Regarding claim 14, the combination of Gould, Sabbouh, Jas and Knapp teach The method of claim 1, wherein each event stream in the set of event streams contains events related to a corresponding job in the stream- processing system. (Gould [0109] As described in further detail below, various types of audit records are predefined with various fields, each field type specifying one or more attributes of processing the data record or event. [0129] In some example, the audit records and/or audit files are reformatted for the ICFF by batching audit records together at a specified granularity (e.g., one event for one subscriber for one chart), computing key fields that will be stored on an ICFF record (e.g., fields for event type, subscriber ID, timestamp, chart instance ID, etc.) and then grouping the remaining audit records together in a collection, as follows: [0132] Using the extracted audit records, the system generates a record that has a multiple key fields, e.g., including, an event type field, a subscriber ID field, a timestamp field, a chart instance ID field, 
Regarding claim 16, Gould teaches The system of claim 15, wherein indexing the data in the records comprises: when a first record received over the set of event streams produces a first key value in the set of keys… storing, in the indexed data, a mapping of the key value to fields that comprise an … timestamp that is set to a first timestamp in the first record; (Gould  [0129] In some example, the audit records and/or audit files are reformatted for the ICFF by batching audit records together at a specified granularity (e.g., one event for one subscriber for one chart), computing key fields that will be stored on an ICFF record (e.g., fields for event type, subscriber ID, timestamp, chart instance ID, etc.) and then grouping the remaining audit records together in a collection, as follows: [132] the audit records for each event are stored sequentially in database 112 (e.g., in a file in database 112). Using the extracted audit records, the system generates a record that has a multiple key fields, e.g., including, an event type field, a subscriber ID field, a timestamp field, a chart instance ID field, and so forth. In some example, a first audit record in the sequence includes values for these multiple key fields. The system uses these included values in generating the new record. Additionally, the system constructs a block of data corresponding to remaining audit records for that sequence. The system stores that block of data as collection of data [0140] In an example, the system detects an occurrence of an event for a subject (e.g., a user or a subscriber) for a chart. As such, event engine 102 generates an "event seen" audit record, then an "event dispatch" audit record and then a "block exit--event" audit helps teach a first key value in the set of keys that is not found in the indexed data (Sabbouh [0099] In an instance in which there is a data conflict between the master storage 92 and the text index 93, the index manager 72 may use the metadata associated with a service key or user key of the master storage 93 to recover the metadata missing from the text index 93 and may rewrite the metadata (e.g., the missing metadata) to the text index 93, as described more fully below. To detect whether there is a data discrepancy between the master storage 92 and the text index 93, the index manager 72 may analyze the metadata in the text index 93 and the metadata that is available in the service key or user key of the master storage 92. In an instance in which, the index manager 72 determines that the service key or user key stored in the master storage 92 has metadata that is not in the text index 93, the index manager 72 may rewrite the metadata (e.g., version information (e.g., a version number), timestamp information (e.g., a creation date, a creation time), an author or originator of a document(s), etc.) associated with and for each subsequent record received over the set of event streams that produces a second key value that is identical to the first key value, setting a latest timestamp in the fields to a second timestamp in the subsequent record (Knapp [0063] If the first cache entry is not empty, headercap 202 determines 254 if the current packet's CRC matches the first cache entry's CRC. If it matches, then the current packet header is considered to be of like-kind to the packet header(s) represented by this cache entry, so the counter is incremented 256, the length is increased by the size of the packet header, and the latest packet header timestamp is updated with the timestamp of the current packet header. Before this happens, the packet counter is checked 258 for an overflow condition. If incrementing the counter would cause an overflow, the cache entry is written 260 to disk, the count and length are set to 0, the first packet header timestamp is set, and the IP packet length is set. Average packet lengths of up to 65537 are supported in this implementation, so no check is required for packet length overflows, thereby saving approximately one CPU cycle per packet.   [0067] The cache is used to count like-kind packets. Since each packet is associated with a count, total length, and multiple timestamps, a side channel was required to convey this information for each packet header in the pcap file. Headercap stores these values in the data portion of the packet. Specifically, the count, length, and first packet timestamp are stored in the data portion. The latest IP packet timestamp is stored in the field of the pcap data structure that records the time the IP packet was seen on the wire [0130] determine the sites subscribing to the group, a first and last time stamp observed for these packets within the desired time interval, and a total utilizing a earliest timestamp; storing, in the indexed data, a mapping of the key value to fields that comprise an earliest timestamp (Jas [0002]  a method may include receiving an event entry of an event stream, wherein the event entry is representative of an event associated with an attribute; generating, using a lookup table, an event record based on the event entry, wherein the lookup table includes a mapping of the attribute to a first context value, and wherein the event record indicates that the first context value is associated with the event; storing the event record in an event record data structure; logging, in the mapping of the lookup table, a first timestamp associated with the attribute, wherein the first timestamp is included in the event entry; receiving a context entry of a context stream, wherein the context entry indicates that the attribute is associated with a second context value that is different from the first context value; determining, based on the first context value being different from the second context value, whether a second timestamp, of the context entry, is before the first timestamp; and performing an action based on whether the second timestamp is before the first timestamp. [0012] the network device may include a telemetry data analyzer that detects likely error records associated with telemetry data using timestamps with a lookup table used to generate the event records. For example, the telemetry data analyzer may generate and/or update a lookup table entry, for each attribute (e.g., IP 
Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Gould in view of Sabbouh, Knapp, Jas and US 20190222419 A1; ADAMS; Neil Patrick et al. (hereinafter Adam)
Regarding claim 4, the combination of Gould, Sabbouh, Jas and Knapp teach The method of claim 2, wherein indexing the data in the records under the set of keys further comprises: generating the value of the first key … associated with the instance of the job. ( Gould [0132] In some examples, a level of granularity of a record is one event for one subscriber (e.g., user) for one chart. As such, the system described herein extracts (e.g., from audit files in database 112) a sequence of audit records that corresponds to one event for one subscriber for one chart. This example, the events occur sequentially. Additionally, the audit records for each based on a number of attempts (Adam [0110] After incrementing the attempt count, at 924, a determination is made in an example, at 926, as to whether the allowable attempt count has been exceeded. If the allowable attempt count is determined to not be exceeded, the recovery key generation process 900 ends. If it is determined that the allowable attempt count is exceeded, user password access is locked out, at 928, and the recovery key generation process 900 ends. )						Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to take all prior methods and make the addition of Adams in order to help improve the security of the system ( Adams [0022] The diversifier value improves protection against trying to decrypt data on a device that is different from the device that encrypted the data, since that diversifier value used for encryption is not available to that different device. In an example, the hardware random number generator also generates a salt value that is used for master key protection operations. The salt value in an example is stored in the secure container and is not available to the general operating system [0023] In some examples, each iteration of functions to access, maintain, or perform other operations associated with maintaining the master key, execute all instructions in the function in order to protect against timing side-channel attacks. For example, all key 
Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Gould in view of Sabbouh, Knapp, Adams, Jas and US 20130272318 A1 SWINKELS; Gerard L. et al. (Swinkels)
 Regarding claim 5, the combination of Gould, Sabbouh, Jas, Adams and Knapp teach  The method of claim 4, wherein indexing the data in the records under the set of keys further comprises: generating the values of the first key based a container name for a container associated with the job … and a container ID for the container. ( Gould [0132] In some examples, a level of granularity of a record is one event for one subscriber (e.g., user) for one chart. As such, the system described herein extracts (e.g., from audit files in database 112) a sequence of audit records that corresponds to one event for one subscriber for one chart. This example, the events occur sequentially. Additionally, the audit records for each event are stored sequentially in database 112 (e.g., in a file in database 112). Using the extracted audit records, the sytem generates a record that has a multiple key fields, e.g., including, an event type field, a subscriber ID field, a timestamp field, a chart instance ID field, and so forth. In some example, a first audit record in the sequence includes values for these multiple key fields. The system uses these included values in generating the new record.[0186] In this example, the system an incarnation number of the container (Swinkels [0022] Another SNC attribute is an incarnation number. The incarnation number may indicate how many times an SNC has been instantiated in network 10. 
Claim 6-9 are rejected under 35 U.S.C. 103 as being unpatentable over Gould in view of Sabbouh, Knapp, Jas and US 20200104110 A1; Singh; Manbinder Pal (hereinafter Singh)
Regarding claim 6, the combination of Gould, Sabbouh, Jas, Singh and Knapp teach The method of claim 1, wherein indexing the data in the records under the set of keys further comprises: generating a value of the second key… ( Gould [0132] In some examples, a level of granularity of a record is one event for one subscriber (e.g., user) for one chart. As such, the system described herein extracts (e.g., from audit files in database 112) a sequence of audit records that corresponds to one event for one subscriber for one chart. This example, the events occur sequentially. Additionally, the audit records for each event are stored sequentially in database 112 (e.g., in a file in database 112). Using the extracted audit records, the system generates a record that has a multiple key fields, e.g., including, an event type field, a subscriber ID field, a timestamp field, a chart instance ID field, and so forth. In some example, a first audit record in the sequence includes values for these multiple key fields. The system uses these included values in generating the new record.[0186] In this example, the system generates ICFF record 348 that include the keys fields, e.g., from audit records 322, 324. The contents of audit records 326, 328, 330, 332, 334, 336, 338, 340, 342, 344, 362, 364 and the contents of audit records 322, 324 that are not included in ICFF record 348 are included in data block 350. The system stores ICFF record 348 and data block 350 in database 346. In this 
Regarding claim 7, the combination of Gould, Sabbouh, Singh and Knapp teach The method of claim 6, wherein indexing the data in the records under the set of keys further comprises: generating the value of the second key based on a job in the stream- processing system and a container associated with the job. (Gould [0132] In some examples, a level of granularity of a record is one event for one subscriber (e.g., user) for one chart. As such, the system described herein extracts (e.g., from audit files in database 112) a sequence of audit records that corresponds to one event for one subscriber for one chart. This example, the events occur sequentially. Additionally, the audit records for each event are stored sequentially in database 112 (e.g., in a file in database 112). Using the extracted audit records, the sytem generates a record that has a multiple key fields, e.g., including, an event type field, a subscriber ID field, a timestamp field, a chart instance ID field, and so forth. In some example, a first audit record in the sequence includes values for these multiple key fields. The system uses these included values in generating the new record.[0186] In this example, the system generates ICFF record 348 that include the keys fields, e.g., from audit records 322, 324. The contents of audit records 326, 328, 330, 332, 334, 336, 338, 340, 342, 344, 362, 364 and the contents of audit records 322, 324 that are not included in ICFF record 348 are included in data block 350. The system stores ICFF record 348 and data block 350 in database 346. In this example, database 346 stores index 352 and ICFF record 348 is indexed in index 352 by the following fields ...) --- (Sabbouh [0068] In an example embodiment, the index manager 72 may be used to designate the data design associated with the key value store 92 and the text index 93. In this regard, the index manager 72 may design data for the key value store 92 specifying the keys and the values in the key value store 92, and may design a service definition file specifying the fields in the text index 93. In an example embodiment, the index 
Regarding claim 8, the combination of Gould, Sabbouh, Singh and Knapp teach The method of claim 7, wherein indexing the data in the records under the set of keys further comprises: mapping the value of the second key to timestamps representing occurrences of the error for the job and the container.
Regarding claim 9, the combination of Gould, Sabbouh, Singh and Knapp teach The method of claim 6, wherein indexing the data in the records under the set of keys further comprises: mapping the value of the second key to the earliest timestamp, the latest timestamp, and error attributes of the error. ( Gould [0132] In some examples, a level of granularity of a record is one event for one subscriber (e.g., user) for one chart. As such, the system described herein extracts (e.g., from audit files in database 112) a sequence of audit records that corresponds to one event for one subscriber for one chart. This example, the events occur sequentially. Additionally, the audit records for each event are stored sequentially in database 112 (e.g., in a file in database 112). Using the extracted audit records, the sytem generates a record that has a multiple key fields, e.g., including, an event type field, a subscriber ID field, a timestamp field, a chart instance ID field, and so forth. In some example, a first audit record in the sequence includes values for these multiple key fields. The system uses these included values in generating the new record.[0186] In this example, the system generates ICFF record 348 that include the keys fields, e.g., from audit records 322, 324. The contents of audit records 326, 328, 330, 332, 334, 336, 338, 340, 342, 344, 362, 364 and the contents of audit records 322, 324 that are not included in ICFF record 348 are included in data block 350. The system stores ICFF record 348 and data block 350 in database 346. In this example, database 346 stores index 352 and ICFF record 348 is indexed in index 352 by the following fields ...[0138] Error dispatch timestamp, + This audit record type indicates that an error subject.sub.--id, occurred while executing the chart. instance.sub.--id, error_message, not_handled ) --- (Knapp [0063] If the first cache 
Claim 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Gould in view of Sabbouh, Knapp, Singh and Adams.
Regarding claim 17, the combination of Gould, Sabbouh, Singh and Knapp teach The system of claim 15, wherein indexing the data in the records under the set of keys comprises: generating a first value of the first key based on at least one of a job ID of a job in the stream-processing system, an instance ID of an instance of the job, and ( Gould [0132] In some examples, a level of granularity of a record is one event for one subscriber (e.g., user) for one chart. As such, the system described herein extracts (e.g., from audit files in database 112) a sequence of audit records that corresponds to one event for one subscriber for one chart. This example, the events occur sequentially. Additionally, the audit records for each event are stored sequentially in database 112 (e.g., in a file in database 112). Using the extracted audit records, the sytem generates a record that has a multiple key fields, e.g., including, an event type field, a subscriber ID field, a timestamp field, a and generating a second value of the second key … and an error type of the error in the stream-processing system. ( Gould [0132] In some examples, a level of granularity of a record is one event for one subscriber (e.g., user) for one chart. As such, the system described herein extracts (e.g., from audit files in database 112) a sequence of audit records that corresponds to one event for one subscriber for one chart. This example, the events occur sequentially. Additionally, the audit records for each event are stored sequentially in database 112 (e.g., in a file in database 112). Using the extracted audit records, the system generates a record that has a multiple key fields, e.g., including, an event type field, a subscriber ID field, a timestamp field, a chart instance ID field, and so forth. In some example, a first audit record in the sequence includes values for these multiple key fields. The system uses these included values in generating the new record.[0186] In this example, the system generates ICFF record 348 that include the keys fields, e.g., from audit records 322, 324. The contents of audit records 326, 328, 330, 332, 334, 336, 338, 340, 342, 344, 362, 364 and the contents of audit records 322, 324 that are not included in ICFF record 348 are included in data block 350. The system stores ICFF record 348 and data block 350 in database 346. In this example, database 346 stores index 352 and ICFF record 348 is indexed in index 352 by the following fields ...) --- (Knapp [0094] More specifically, system 130 contains a detection algorithm that performs anomaly detection at regular time intervals against all conversations tracked during that interval and outputs relevant security events to a Security Event Management (SEM) system. At least one of three types of anomalies are used to categorize identified anomalous network activity. [95-97] further elaborate)										and generating a second value of the second key based on a stack trace and an error type of the error in the stream-processing system. (Jas [0002]  a method may include receiving an event entry of an event stream, wherein the event entry is representative of an event associated with an attribute; generating, using a lookup table, an event record based on the event entry, wherein the lookup table includes a mapping of the attribute to a first context value, and wherein the event record indicates that the first context value is associated with the event; storing the event record in an event record data structure; logging, in the mapping of the lookup table, a first timestamp associated with the attribute, wherein the first timestamp is included in the event entry; receiving a context entry of a context stream, wherein the context entry indicates that the attribute is associated with a second context value that is different from the first context value; determining, based on the first context value being different from the second context value, whether a second timestamp, of the context entry, is before the first timestamp; and performing an action based on whether the second timestamp is before the first timestamp. [0012] the network device may include a telemetry data analyzer that detects likely error records associated with telemetry data using timestamps with a lookup table used to generate the event records. For example, the telemetry data analyzer may generate and/or update a lookup table entry, for each attribute (e.g., IP address), that includes the attribute, a corresponding context of the attribute (e.g., a host identifier), and a timestamp associated with a most recent event of the attribute. In this way, if a context entry is received that includes a timestamp before the timestamp in the lookup table, the network device may determine that event records associated with based on a number of attempts (Adam [0110] After incrementing the attempt count, at 924, a determination is made in an example, at 926, as to whether the allowable attempt count has been exceeded. If the allowable attempt count is determined to not be exceeded, the recovery key generation process 900 ends. If it is determined that the allowable attempt count is exceeded, user password access is locked out, at 928, and the recovery key generation process 900 ends. )						Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to take all prior methods and make the 
	Regarding claim 18, the combination of Gould, Sabbouh, Adam, Singh and Knapp teach The system of claim 17, wherein indexing the data in the records under the set of keys further comprises: mapping the first value of the first key to a health metric for the job, container IDs for containers associated with the job, and job attributes of the job; (Gould [0108] Referring to FIG. 2E, diagram 29e illustrates a starting state of flowchart 32 in which an audit record is generated upon execution of start node 32a. In particular, start node 32a represents a data processing component that is configured to generate audit record 32i, e.g., when and mapping the value of the second key to at least one of timestamps representing occurrences of the error and error attributes of the error. ( Gould [0132] In some examples, a level of granularity of a record is one event for one subscriber (e.g., user) for one chart. As such, the system described herein extracts (e.g., from audit files in database 112) a sequence of audit records that corresponds 
Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Gould in view of Sabbouh, Knapp, Jas and US 20160147812 A1; ANDREI; Mihnea et al. (hereinafter Andrei)
Regarding claim 12, the combination of Gould, Sabbouh, and Knapp teach The method of claim 1, wherein outputting the indexed data comprises: identifying a subset of the indexed data with a value of the latest timestamp ( Andrei [0048] For transactions where row state 212 is set to "check CTS", a read thread compares a thread read timestamp to a timestamp stored in CTS 208. For transactions where row state 212 is set to "check CTS and DTS", a read thread compares the thread read timestamp to CTS 208 and DTS 210. For example, if the thread read timestamp is less than the commit timestamp stored in the CTS 208, the read thread began executing before a row associated with the CTS 208 was committed and the row would not be visible to the read thread. In another example, if the thread read timestamp of a read thread is greater than the commit timestamp, the read thread began executing after the write thread committed the row, and the row is visible to the read thread. In another example, if the thread read timestamp is less than DTS 210, the read thread began executing before a row associated with DTS 210 was destroyed and committed, and the row would be visible to the read thread. In another example, if the thread read timestamp of a read thread is greater than the commit timestamp, the read thread began executing after the write thread committed the row, and the row would be invisible to the read thread. )				timestamp that is greater than a last write time of the indexed data to a data store; and writing the subset of indexed data to the data (Andrei [0048] For transactions where row state 212 is set to "check CTS", a read thread compares a thread read timestamp to a timestamp stored in CTS 208. For transactions where row state 212 is set to "check CTS and DTS", a read thread compares the thread read timestamp to CTS 208 and DTS 210. For example, if the thread read timestamp is less than the commit timestamp stored in the CTS 208, the read thread began executing before a row associated with the CTS 208 was committed and the row would not be visible to the read thread. In another example, if the thread read timestamp of a read thread is greater than the commit timestamp, the read thread began executing after the write thread committed the row, and the row is visible to the read thread. In another example, if the thread read timestamp is less than DTS 210, the read thread began executing before a row associated with DTS 210 was destroyed and committed, and the row would be visible to the read thread. In another example, if the thread read timestamp of a read thread is greater than the commit timestamp, the read thread began executing after the write thread committed the row, and the row would be invisible to the read thread. )				Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to take all prior methods and make the addition of Andrei in order to increase the efficiency of the system (Andrei [0002] 
Response to Arguments
Applicant's arguments filed 7/12/2021 have been fully considered
35 USC § 103: 
Regarding Applicant’s Argument (page(s): 10-11): “Claim 1 recites: .... On page 13, the Office Action concedes that the combination of Gould and Sabbouth fails to disclose the bolded limitation (including the italicized portion). The Office Action then fails to address this limitation when discussing Knapp. Therefore, the Office Action has failed to provide Examiner’s response:- The Examiner respectfully disagrees with the applicant. Applicant’s arguments directed towards the new amendments are moot upon a further consideration and a new ground(s) of rejection made under 35 U.S.C. 103 as being unpatentable over new art US 20200295879 A1 JAS; Frank (hereinafter Jas). Also It is important to note that this rejection is one of obviousness and not one of anticipation, Regarding Applicant’s Argument (page(s): 12-13): “Present Claim 20 recites: … (Emphasis added.) The Office Action asserts that "claim 20 is rejected similarly as claim 1 above." However, Claim 1 does not recite the bolded portion of Claim 20. Thus, Claim 20 recites three keys: a first key related to jobs, a second key related to errors, and a third key related to containers. The Office Action has failed to provide aprimafacie case of obviousness for Claim 20. In the telephone interview, although not indicated in the Office Action, the Examiner indicated that "container" of Claim 20 is interpreted to be "storage." However, "storage" does not have the characteristics of the recited container of Claim 20, which is amended to include, from the specification, a definition of container.” Examiner’s response:- The Examiner respectfully disagrees with the applicant. The examiner has separated the rejection for claim 20 and it is no longer a corresponding rejection. It is important to note that this rejection is one of obviousness and not one of anticipation, henceforth there can be obviousness conclusions reached in the mapping and teaching of the prior arts inventions into the instant applications claim limitations. Gould does show this process of having a input and output (a stream of data) 
Regarding Applicant’s Argument (page(s): 13-14): “Present Claim 15 recites:... Subject matter from Claim 6 is incorporated into Claim 15. In rejecting Claim 6, the Office Action cites Park for allegedly disclosing "stack trace." However, since Gould does not mention stack trace and Park (though mentioning stack trace) does not describe how stack trace is used (much less using it as a key value), any combination of Gould and Park necessarily fails to disclose using a stack trace of an error to generate a value for a key, much less a key that is related to errors in a stream-processing system.” Examiner’s response:- The Examiner respectfully disagrees with the applicant. Applicant’s arguments directed towards the new amendments are moot upon a further consideration and a new ground(s) of rejection made under 35 U.S.C. 103 as being unpatentable over new art US 20200104110 A1; Singh; Manbinder Pal.
Regarding Applicant’s Argument (page(s): 14-15): “Claim 12 depends on Claim 1 and further recites: The Office Action concedes that Gould, Sabbouh, and Knapp fail to disclose the bolded portion of Claim 12. The Office Action then cites paragraph 48 of Andrei for allegedly disclosing the bolded portion of Claim 12. However, that paragraph 48 merely states:  ... (Emphasis added.) Andrei is about garbage collection of multi-version concurrency control information in a database system. Thus, Andrei includes description about read threads, write threads, transactions, Examiner’s response:- The Examiner respectfully disagrees with the applicant. It is important to note that this rejection is one of obviousness and not one of anticipation, hence elements from one art can be combined into a foundation of another separate art. Andrei is only brought in to help teach the comparison of timestamps and then a corresponding write operation based on that comparison (Andrei para. 48)
Conclusion
Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to ARYAN D TOUGHIRY whose telephone number is (571)272-5212.  The examiner can normally be reached on Monday - Friday, 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Aleksandr Kerzhner can be reached on (571) 270-1760.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-






/ARYAN D TOUGHIRY/Examiner, Art Unit 2165                                                                                                                                                                                                        
/ALEKSANDR KERZHNER/Supervisory Patent Examiner, Art Unit 2165