DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 07/02/2021 has been entered. 

Status of Claims
3.	Claims 1, 8, and 15 have been amended by Applicant. Claims 18-20 have been cancelled and claims 21-23 have been added. Claims 1-17 and 21-23 are currently pending. 

Information Disclosure Statement 
4.	The Information Disclosure Statement (IDS) submitted by Applicant on 07/02/2021 has been considered.  


Response to Arguments
The rejection of claims 1-2, 4-5, 7-9, 11-12, 14-16, and 18-19 under 35 U.S.C. 103 as being unpatentable over Gukal et al. (US 20150370842 A1) in view of Byrd et al. (US 20190034517 A1), has been withdrawn in view of Applicant’s amendments to claims 1, 8, and 15. However, upon further consideration and in view of said amendments a new grounds of rejection has been made under 35 U.S.C. 103. See Claim Rejections under 35 U.S.C. 103 section further below.
The rejection of claims 3, 10, and 17 under 35 U.S.C. 103 as being unpatentable over Gukal et al. (US 20150370842 A1), in view of Byrd et al. (US 20190034517 A1), in further view of Mizutani (US 20160063388 A1), has been withdrawn in view of Applicant’s amendments to claims 1, 8, and 15. However, upon further consideration and in view of said amendments a new grounds of rejection has been made under 35 U.S.C. 103. See Claim Rejections under 35 U.S.C. 103 section further below.
The rejection of claims 6, 13, and 20 under 35 U.S.C. 103 as being unpatentable over Gukal et al. (US 20150370842 A1) in view of Byrd et al. (US 20190034517 A1), in further view of Puri et al. (US 20150106324 A1), has been withdrawn in view of Applicant’s amendments to claims 1, 8, and 15. However, upon See Claim Rejections under 35 U.S.C. 103 section further below.

Applicant’s arguments with respect to claims 1, 8, and 15, and dependent claims therefrom, have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-2, 4-5, 7-9, 11-12, 14-16, and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Gukal et al. (US 20150370842 A1) in view of Agnew et al. (U.S. Patent No. 10861202).

Regarding claim 1, Gukal teaches a computer-implemented method, the method comprising: 

receiving first input corresponding to a selection of a set of log messages (Gukal, Paragraph [0059] teaches “operations by a log stream analysis computer…responsive to user selection among displayed term nodes, host nodes, and/or source type nodes; Gukal, Paragraph [0060] teaches receiving a selection by a user and/or an analysis program.);

accessing the set of log messages based on the received first input, the set of log messages including a plurality of subsets of the set of log messages, and each subset of the set of log messages corresponding to a defined characteristic (Gukal, Paragraph [0056] teaches “graph-walking operations to display and detect correlations across all log streams…”; Gukal, Paragraph [0057] teaches “At every repetition, the user can define or redefine the type of correlation…”; Gukal, Paragraph [0059] further teaches “responsive to user selection among displayed term nodes, host nodes, and/or source type nodes…” providing information based on content of the data structures of the plurality of nodes for display.; ); 

receiving second input corresponding to a selection of a branching parameter configured to facilitate branching of one or more paths in a flow diagram representing a timeline of events captured within the set of log messages, (Gukal, Paragraph [0026] teaches log stream analysis comprising partitioning received log streams into corresponding records according to a defined time interval or other defined event.; Gukal, Paragraph [0059] teaches log stream analysis operations “responsive to user selection …”; Gukal, Paragraph [0060] further teaches node and graph illustrator … querying a user to determine the type of correlation that is to be performed.; Gukal, Paragraph [0061] further teaches based on the selected node wherein the branching parameter is associated with a distribution of one or more different values of a data field included in each log message of the set of log messages (Gukal, Paragraph [0055] teaches correlation operations can determine links between generated nodes; Gukal, Paragraph [0056] further teaches performing graph-walking operations to display and detect correlations across all log streams and all the time periods.; Gukal, Paragraph [0037] teaches summaries for records corresponding to a defined term for each time period or other record interval, where the summaries may contain the time period, stream identifier and record count; Gukal, Paragraph [0038] teaches for each TermID, corresponding RecordIDs occurring with the time period and identifying the count value.; Gukal, Paragraph [0030] teaches “terms” can include login names, host names, operational error identifiers. Terms may be also be defined based on their occurrence in a defined number of records in a given time interval, may be identified by a preprocessing step that marks that position important for monitoring.); 

determining a first bucket of the flow diagram, the first bucket including the set of log messages (Gukal, Paragraph [0027] teaches partitioning received log streams into records; Gukal, Paragraph [0032] teaches “for each defined term that is determined to reside in one or more of the records, a term node is generated which may ; 

determining one or more second buckets of the flow diagram, each second bucket representing a subset of the set of log messages, each log message included in the second bucket corresponding to a defined characteristic associated with the selected branching parameter, wherein each of the one or more second buckets corresponds to a particular value of the one or more different values of the data field and wherein each of the one or more second buckets is associated with a count of log messages that include the corresponding particular value (Gukal, Paragraph [0053] teaches determining correlations between the records of the log streams within the log repository based on content of the data structure of the term node and a defined correlation rule. Alternatively or additionally, the correlation may be performed based on information contained in the hosts nodes and/or the source type nodes.; Gukal, Paragraph [0054] further teaches “for each of the plurality of defined terms…the generating a term node, can be repeated” [0054 in view of 0053 reading on one or more second buckets, as claimed.].; Gukal, Paragraph [0038] teaches for each TermID, corresponding RecordIDs occurring with the time period and identifying the count value.; Gukal, Paragraph [0030] teaches “terms” can be defined based on their occurrence in a defined number of records in a given time interval and/or may be identified by a preprocessing step that marks that position important for monitoring.); 

defining the one or more paths of the flow diagram, each of the one or more paths linking the first bucket to a second bucket of the one or more second buckets (Gukal, Paragraph [0057] teaches traversing graph from a starting node to a next selected node which an provide real-time correlation discovery; Gukal, Paragraph [0055] teaches “correlation operations can determine links between the generated nodes” ); 


	Although Gukal discloses at paragraphs [0056], [0057] and [0059] a graph and node illustrator, graph walking operations to display and detect correlations across all log streams, and traversing the graph from a starting node to a next node, Gukal does not distinctly disclose the limitations: generating a graphical user interface (GUI) that includes a visual representation of at least a path of the one or more paths of the flow diagram, visually and spatially connecting a visual representation of the first bucket to a visual representation of a second bucket of the one or more buckets, wherein the visual representation of the path indicates the count of log messages associated with the second bucket, and wherein at least one visual characteristic of each of the visual representations of the first bucket, the second bucket, and the path is generated based at least in part on a count of log messages associated with the second bucket; and

	displaying the graphical user interface including the visual representation of the one or more paths of the flow diagram.

	Nevertheless, Agnew teaches generating a graphical user interface (GUI) that includes a visual representation of at least a path of the one or more paths of the flow diagram, visually and spatially connecting a visual representation of the first bucket to a visual representation of a second bucket of the one or more buckets (Agnew, Col. 14, lines 1-14, teaches GUI engine; Agnew, Figure 12 illustrates interactive graphical user interface displaying a flow diagram (i.e., Sankey diagram) comprising a plurality of paths of the flow diagram; Agnew, Col. 29, lines 58-67, further teaches the flow diagram includes various nodes interconnected by one or more flows; Agnew, Abstract, teaches “each of the flows of the flows represents events that share a common relationship between a starting node and an ending node and visually connecting the starting node and the ending node”; Agnew, Col. 8, lines 65-67 and Col. 9, lines 1-5, teach the system divides the raw data (e.g., one or more system logs) into blocks (e.g. buckets of data, each associated with a specific time frame, etc.)), wherein the visual representation of the path indicates the count of log messages associated with the second bucket, and wherein at least one visual characteristic of each of the visual representations of the first bucket, the second bucket, and the path is generated based at least in part on a count of log messages associated with the second bucket (Agnew, Col. 29, lines 58-67, teaches the flow diagram (i.e., Sankey diagram) including various nodes interconnected by one or more flows and further teaches the width of an individual flow can be indicative of the number of events represented by the flow.; Agnew, Col. 31, lines 4-13 teaches each flow represents a collection of events (or a single event) that have a particular relationship to ; and 

	displaying the graphical user interface including the visual representation of the one or more paths of the flow diagram (Agnew, Agnew, Col. 14, lines 1-14 teaches GUI engine; Agnew, Figure 12 illustrates interactive graphical user interface displaying a flow diagram (i.e., Sankey diagram) comprising a plurality of paths of the flow diagram;)].

Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the method and system for log stream analysis taught by Gukal, with the event-based data intake and query system comprising data visualizations, as taught by Agnew, in order to address the challenges of analyzing massive quantities of machine data such as system logs and error logs by providing 



Regarding claim 2, the combination of Gukal in view of Agnew teaches all of the limitations of claim 1, and Gukal further teaches wherein the branching parameter corresponds to one or more flow keys configured to trigger linking a first log message in a first subset of the set of log messages to a second log message in a second subset of the set of log messages when each of the first and second log messages includes the one or more flow keys (Gukal, Paragraph [0025] teaches “a log stream… can be uniquely identified by a compound identifier generated from a combination of the Host ID and the Source ID;  Gukal, Paragraph [0027] further teaches Record IDs; Gukal, Paragraph [0028]-[0029] further teaches data dictionary repository that can function to map unique strings or other terms contained in the records to defined identifiers.; Gukal, Paragraph [0034] teaches similiarity values may be calculated using MinHash values, wherein the calculation may be determined over the Record IDs.; Gukal, Paragraph [0055] further teaches “the correlation operations can determine links between the generated nodes…” [reading on to trigger a linking…]).

Motivation to combine same as stated for claim 1.



	Regarding claim 4, the combination of Gukal in view of Agnew teaches all of the limitations of claim 1 and Gukal further teaches wherein the set of log messages includes log messages from a plurality of log sources (Gukal, Paragraph [0025] teaches sources of different source types, reading on the limitation as claimed.).

Motivation to combine same as stated for claim 1.


	Regarding claim 5, the combination of Gukal in view of Agnew teaches all of the limitations of claim 1, and Gukal further teaches wherein the set of log messages corresponds to a single log source (Gukal, Paragraph [0025] teaches sources of the same source type, reading on the limitation as claimed.).

Motivation to combine same as stated for claim 1.


Regarding claim 7, the combination of Gukal in view of Agnew teaches all of the limitations of claim 1, and Gukal further teaches a first visual representation including a flow represented by the first bucket …, the first bucket representing a count of all log messages that are included in a segment, … (Gukal, ----Paragraph 

However Gukal does not distinctly disclose: 
a first visual representation including a flow represented by the first bucket that connects visually and spatially to one or more visual representations of second buckets,...

 … and the one or more second buckets representing a distribution of values of the branching parameter, such that each of the one or more second buckets corresponds to a particular value of the branching parameter and represents a count of all log messages that are associated with the particular value of the branching parameter.

Nevertheless, Agnew teaches a first visual representation including a flow represented by the first bucket that connects visually and spatially to one or more visual representations of second buckets, … and the one or more second buckets representing a distribution of values of the branching parameter, such that each of the one or more second buckets corresponds to a particular value of the branching parameter and represents a count of all log messages that are associated with the particular value of the branching parameter (Agnew, Col. 14, 

Motivation to combine same as stated for claim 1. 



Regarding claim 8, Gukal teaches a system, comprising: one or more data processors; and a non-transitory computer-readable storage medium containing instructions which, when executed on the one or more data processors, cause the one or more data processors to perform operations (Gukal, Paragraph [0007] teaches “log stream analysis computer that includes a processor and a memory coupled to the processor. The memory includes computer readable program code that when executed by the processor causes the processor to perform operations.”) including: 

receiving first input corresponding to a selection of a set of log messages (Gukal, Paragraph [0059] teaches “operations by a log stream analysis computer…responsive to user selection among displayed term nodes, host nodes, and/or source type nodes; Gukal, Paragraph [0060] teaches receiving a selection by a user and/or an analysis program.);

accessing the set of log messages based on the received first input, the set of log messages including a plurality of subsets of the set of log messages, and each subset of the set of log messages corresponding to a defined characteristic (Gukal, Paragraph [0056] teaches “graph-walking operations to display and detect correlations across all log streams…”; Gukal, Paragraph [0057] teaches “At every repetition, the user can define or redefine the type of correlation…”; Gukal, Paragraph [0059] further teaches “responsive to user selection among displayed term nodes, host nodes, and/or source type nodes…” providing information based on content of the data structures of the plurality of nodes for display.; ); 

receiving second input corresponding to a selection of a branching parameter configured to facilitate branching of one or more paths in a flow diagram representing a timeline of events captured within the set of log messages, (Gukal, Paragraph [0026] teaches log stream analysis comprising partitioning received log streams into corresponding records according to a defined time interval or other defined event.; Gukal, Paragraph [0059] teaches log stream analysis operations “responsive to user selection …”; Gukal, Paragraph [0060] further teaches node and graph illustrator … querying a user to determine the type of correlation that is to be performed.; Gukal, Paragraph [0061] further teaches based on the selected node and type of correlation, determining time correlations such that the node and graph illustrator can display information based on the determined correlations.; Gukal, Paragraph [0062] teaches receiving additional node selections “to cause further correlations to be performed between content of a data structure of that node and content of the data structure of other nodes.”;) wherein the branching parameter is associated with a distribution of one or more different values of a data field included in each log message of the set of log messages (Gukal, Paragraph [0055] teaches correlation operations can determine links between generated nodes; Gukal, Paragraph [0056] further teaches performing graph-walking operations to display and detect correlations across all log streams and all the time periods.; Gukal, Paragraph [0037] teaches summaries for records corresponding to a defined term for each time period or other record interval, where the summaries may contain the time period, stream identifier and record count; Gukal, Paragraph [0038] teaches for each TermID, ; 

determining a first bucket of the flow diagram, the first bucket including the set of log messages (Gukal, Paragraph [0027] teaches partitioning received log streams into records; Gukal, Paragraph [0032] teaches “for each defined term that is determined to reside in one or more of the records, a term node is generated which may be provided for graphical display…to a user”; Gukal, Paragraph [0031] teaches generating a term node for terms determined to be new.;); 

determining one or more second buckets of the flow diagram, each second bucket representing a subset of the set of log messages, each log message included in the second bucket corresponding to a defined characteristic associated with the selected branching parameter, wherein each of the one or more second buckets corresponds to a particular value of the one or more different values of the data field and wherein each of the one or more second buckets is associated with a count of log messages that include the corresponding particular value (Gukal, Paragraph [0053] teaches determining correlations between the records of the log streams within the log repository based on content of the data structure of the term node and a defined correlation rule. for each TermID, corresponding RecordIDs occurring with the time period and identifying the count value.; Gukal, Paragraph [0030] teaches “terms” can be defined based on their occurrence in a defined number of records in a given time interval and/or may be identified by a preprocessing step that marks that position important for monitoring.); 

defining the one or more paths of the flow diagram, each of the one or more paths linking the first bucket to a second bucket of the one or more second buckets (Gukal, Paragraph [0057] teaches traversing graph from a starting node to a next selected node which an provide real-time correlation discovery; Gukal, Paragraph [0055] teaches “correlation operations can determine links between the generated nodes” ); 


	Although Gukal discloses at paragraphs [0056], [0057] and [0059] a graph and node illustrator, graph walking operations to display and detect correlations across all log streams, and traversing the graph from a starting node to a next node, Gukal does not distinctly disclose the limitations: generating a graphical user interface (GUI) that includes a visual representation of at least a path of the one or more paths of the flow diagram, visually and spatially connecting a visual representation of the first bucket to a visual representation of a second bucket of the one or more buckets, wherein the visual representation of the path indicates the count of log messages associated with the second bucket, and wherein at least one visual characteristic of each of the visual representations of the first bucket, the second bucket, and the path is generated based at least in part on a count of log messages associated with the second bucket; and

	displaying the graphical user interface including the visual representation of the one or more paths of the flow diagram.

	Nevertheless, Agnew teaches generating a graphical user interface (GUI) that includes a visual representation of at least a path of the one or more paths of the flow diagram, visually and spatially connecting a visual representation of the first bucket to a visual representation of a second bucket of the one or more buckets (Agnew, Col. 14, lines 1-14, teaches GUI engine; Agnew, Figure 12 illustrates interactive graphical user interface displaying a flow diagram (i.e., Sankey diagram) comprising a plurality of paths of the flow diagram; Agnew, Col. 29, lines 58-67, further teaches the flow diagram includes various nodes interconnected by one or more flows; Agnew, Abstract, teaches “each of the flows of the flows represents events that share a common relationship between a starting node and an ending node and visually connecting the starting node and the ending node”; Agnew, Col. 8, lines 65-67 and Col. 9, lines 1-5, teach the system divides the raw data (e.g., one or more system logs) into , wherein the visual representation of the path indicates the count of log messages associated with the second bucket, and wherein at least one visual characteristic of each of the visual representations of the first bucket, the second bucket, and the path is generated based at least in part on a count of log messages associated with the second bucket (Agnew, Col. 29, lines 58-67, teaches the flow diagram (i.e., Sankey diagram) including various nodes interconnected by one or more flows and further teaches the width of an individual flow can be indicative of the number of events represented by the flow.; Agnew, Col. 31, lines 4-13 teaches each flow represents a collection of events (or a single event) that have a particular relationship to the two nodes that form the flows endpoints…The size of the flow (also referred to as the width) is indicative of a number of events represented by the flow; Agnew, Col. 31, lines 23-39 further teaches an information block and/or hovering window displays relevant information about the selected flow such as the total count of events in the flow.; Agnew, Col. 8, lines 32-46 teaches “when the data source is an operating system log, an event can include one or more lines from the operating system log containing raw data that includes different types of performance and diagnostic information associated with a specific point in time”; Agnew, Col. 8, lines 47-56, teaches machine data generated may include log files, activity log files, and messages.; Agnew, Col. 8, lines 65-67 and Col. 9, lines 1-5, teaches the system divides the raw data into blocks (e.g. buckets of data, each associated with a specific time frame, etc.)); and

	displaying the graphical user interface including the visual representation of the one or more paths of the flow diagram (Agnew, Agnew, Col. 14, lines 1-14 teaches GUI engine; Agnew, Figure 12 illustrates interactive graphical user interface displaying a flow diagram (i.e., Sankey diagram) comprising a plurality of paths of the flow diagram;)].

Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the method and system for log stream analysis taught by Gukal, with the event-based data intake and query system comprising data visualizations, as taught by Agnew, in order to address the challenges of analyzing massive quantities of machine data such as system logs and error logs by providing real-time operational intelligence that enables organizations to collect, index, and search machine-generated data from various sources which may be particularly useful for analyzing data commonly found in system log files. (Agnew, Col. 7, lines 56-67 and Col. 8, lines 3-18).


Regarding claim 9, the combination of Gukal in view of Agnew teaches all of the limitations of claim 8, and Gukal further teaches wherein the branching parameter corresponds to one or more flow keys configured to trigger linking a first log message in a first subset of the set of log messages to a second log message in a second subset of the set of log messages when each of the first and second log messages includes the one or more flow keys (Gukal, Paragraph [0025] teaches “a compound identifier generated from a combination of the Host ID and the Source ID;  Gukal, Paragraph [0027] further teaches Record IDs; Gukal, Paragraph [0028]-[0029] further teaches data dictionary repository that can function to map unique strings or other terms contained in the records to defined identifiers.; Gukal, Paragraph [0034] teaches similiarity values may be calculated using MinHash values, wherein the calculation may be determined over the Record IDs.; Gukal, Paragraph [0055] further teaches “the correlation operations can determine links between the generated nodes…”).

Motivation to combine same as stated for claim 8. 


	Regarding claim 11, the combination of Gukal in view of Agnew teaches all of the limitations of claim 8, and Gukal further teaches wherein the set of log messages includes log messages from a plurality of log sources (Gukal, Paragraph [0025] teaches sources of different source types, reading on the limitation as claimed.).

Motivation to combine same as stated for claim 8. 



	Regarding claim 12, the combination of Gukal in view of Agnew teaches all of the limitations of claim 8, and Gukal further teaches wherein the set of log messages corresponds to a single log source (Gukal, Paragraph [0025] teaches sources of the same source type, reading on the limitation as claimed.).

Motivation to combine same as stated for claim 8.



	Regarding claim 14, the combination of Gukal in view of Agnew teaches all of the limitations of claim 8, and Gukal further teaches a first visual representation including a flow represented by the first bucket …, the first bucket representing a count of all log messages that are included in a segment, … (Gukal, ----Paragraph [0032] teaches term nodes may be provided for display; Gukal, Paragraph [0038] further teaches data structure for a term node identifies for each TermID, the time period, the corresponding Record IDs occurring within the time period. For each of the Record IDs, the data structure further identifies the count value and the MinHash.)

However Gukal does not distinctly disclose: 
a first visual representation including a flow represented by the first bucket that connects visually and spatially to one or more visual representations of second buckets,...

 … and the one or more second buckets representing a distribution of values of the branching parameter, such that each of the one or more second buckets corresponds to a particular value of the branching parameter and represents a count of all log messages that are associated with the particular value of the branching parameter.

Nevertheless, Agnew teaches a first visual representation including a flow represented by the first bucket that connects visually and spatially to one or more visual representations of second buckets, … and the one or more second buckets representing a distribution of values of the branching parameter, such that each of the one or more second buckets corresponds to a particular value of the branching parameter and represents a count of all log messages that are associated with the particular value of the branching parameter (Agnew, Col. 14, lines 1-14, teaches GUI engine; Agnew, Figure 12 illustrates interactive graphical user interface displaying a flow diagram (i.e., Sankey diagram) comprising a plurality of paths of the the flow diagram; Agnew, Col. 29, lines 58-67, further teaches the flow diagram includes various nodes interconnected by one or more flows; Agnew, Abstract, teaches “each of the flows of the flows represents events that share a common relationship between a starting node and an ending node and visually connecting the starting node and the ending node; Agnew, Col. 8, lines 65-67 and Col. 9, lines 1-5, teach the system divides the raw data (e.g., one or more system logs) into blocks (e.g. buckets of data, each associated with a specific time frame, etc.); Agnew, Col. 31, lines 4-13 teaches each flow represents a collection of events (or a single event) that have a particular relationship to the two nodes that form the flows endpoints…The the size of the flow (also referred to as the width) is indicative of a number of events represented by the 

Motivation to combine same as stated for claim 8.




Regarding claim 15, Gukal teaches a computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause a data processing apparatus to perform operations (Gukal, Paragraphs [0007] and [0069] teach memory including computer readable program code that when executed by the processor causes the processor to perform operations, reading on the limitation as claimed.) including: 

receiving first input corresponding to a selection of a set of log messages (Gukal, Paragraph [0059] teaches “operations by a log stream analysis computer…responsive to user selection among displayed term nodes, host nodes, and/or source type nodes; Gukal, Paragraph [0060] teaches receiving a selection by a user and/or an analysis program.);

accessing the set of log messages based on the received first input, the set of log messages including a plurality of subsets of the set of log messages, and each subset of the set of log messages corresponding to a defined characteristic (Gukal, Paragraph [0056] teaches “graph-walking operations to display and detect correlations across all log streams…”; Gukal, Paragraph [0057] teaches “At every repetition, the user can define or redefine the type of correlation…”; Gukal, Paragraph [0059] further teaches “responsive to user selection among displayed term nodes, host nodes, and/or source type nodes…” providing information based on content of the data structures of the plurality of nodes for display.; ); 

receiving second input corresponding to a selection of a branching parameter configured to facilitate branching of one or more paths in a flow diagram representing a timeline of events captured within the set of log messages, (Gukal, Paragraph [0026] teaches log stream analysis comprising partitioning received log streams into corresponding records according to a defined time interval or other defined event.; Gukal, Paragraph [0059] teaches log stream analysis operations “responsive to user selection …”; Gukal, Paragraph [0060] further teaches node and graph illustrator … querying a user to determine the type of correlation that is to be performed.; Gukal, Paragraph [0061] further teaches based on the selected node and type of correlation, determining time correlations such that the node and graph illustrator can display information based on the determined correlations.; Gukal, Paragraph [0062] teaches receiving additional node selections “to cause further wherein the branching parameter is associated with a distribution of one or more different values of a data field included in each log message of the set of log messages (Gukal, Paragraph [0055] teaches correlation operations can determine links between generated nodes; Gukal, Paragraph [0056] further teaches performing graph-walking operations to display and detect correlations across all log streams and all the time periods.; Gukal, Paragraph [0037] teaches summaries for records corresponding to a defined term for each time period or other record interval, where the summaries may contain the time period, stream identifier and record count; Gukal, Paragraph [0038] teaches for each TermID, corresponding RecordIDs occurring with the time period and identifying the count value.; Gukal, Paragraph [0030] teaches “terms” can include login names, host names, operational error identifiers. Terms may be also be defined based on their occurrence in a defined number of records in a given time interval, may be identified by a preprocessing step that marks that position important for monitoring.); 

determining a first bucket of the flow diagram, the first bucket including the set of log messages (Gukal, Paragraph [0027] teaches partitioning received log streams into records; Gukal, Paragraph [0032] teaches “for each defined term that is determined to reside in one or more of the records, a term node is generated which may be provided for graphical display…to a user”; Gukal, Paragraph [0031] teaches generating a term node for terms determined to be new.;); 

determining one or more second buckets of the flow diagram, each second bucket representing a subset of the set of log messages, each log message included in the second bucket corresponding to a defined characteristic associated with the selected branching parameter, wherein each of the one or more second buckets corresponds to a particular value of the one or more different values of the data field and wherein each of the one or more second buckets is associated with a count of log messages that include the corresponding particular value (Gukal, Paragraph [0053] teaches determining correlations between the records of the log streams within the log repository based on content of the data structure of the term node and a defined correlation rule. Alternatively or additionally, the correlation may be performed based on information contained in the hosts nodes and/or the source type nodes.; Gukal, Paragraph [0054] further teaches “for each of the plurality of defined terms…the generating a term node, can be repeated” [0054 in view of 0053 reading on one or more second buckets, as claimed.].; Gukal, Paragraph [0038] teaches for each TermID, corresponding RecordIDs occurring with the time period and identifying the count value.; Gukal, Paragraph [0030] teaches “terms” can be defined based on their occurrence in a defined number of records in a given time interval and/or may be identified by a preprocessing step that marks that position important for monitoring.); 

defining the one or more paths of the flow diagram, each of the one or more paths linking the first bucket to a second bucket of the one or more second buckets (Gukal, Paragraph [0057] teaches traversing graph from a starting node to a ; 

	Although Gukal discloses at paragraphs [0056], [0057] and [0059] a graph and node illustrator, graph walking operations to display and detect correlations across all log streams, and traversing the graph from a starting node to a next node, Gukal does not distinctly disclose the limitations: generating a graphical user interface (GUI) that includes a visual representation of at least a path of the one or more paths of the flow diagram, visually and spatially connecting a visual representation of the first bucket to a visual representation of a second bucket of the one or more buckets, wherein the visual representation of the path indicates the count of log messages associated with the second bucket, and wherein at least one visual characteristic of each of the visual representations of the first bucket, the second bucket, and the path is generated based at least in part on a count of log messages associated with the second bucket; and

	displaying the graphical user interface including the visual representation of the one or more paths of the flow diagram.

	Nevertheless, Agnew teaches generating a graphical user interface (GUI) that includes a visual representation of at least a path of the one or more paths of the flow diagram, visually and spatially connecting a visual representation of the first bucket to a visual representation of a second bucket of the one or more buckets (Agnew, Col. 14, lines 1-14, teaches GUI engine; Agnew, Figure 12 illustrates interactive graphical user interface displaying a flow diagram (i.e., Sankey diagram) comprising a plurality of paths of the flow diagram; Agnew, Col. 29, lines 58-67, further teaches the flow diagram includes various nodes interconnected by one or more flows; Agnew, Abstract, teaches “each of the flows of the flows represents events that share a common relationship between a starting node and an ending node and visually connecting the starting node and the ending node”; Agnew, Col. 8, lines 65-67 and Col. 9, lines 1-5, teach the system divides the raw data (e.g., one or more system logs) into blocks (e.g. buckets of data, each associated with a specific time frame, etc.)), wherein the visual representation of the path indicates the count of log messages associated with the second bucket, and wherein at least one visual characteristic of each of the visual representations of the first bucket, the second bucket, and the path is generated based at least in part on a count of log messages associated with the second bucket (Agnew, Col. 29, lines 58-67, teaches the flow diagram (i.e., Sankey diagram) including various nodes interconnected by one or more flows and further teaches the width of an individual flow can be indicative of the number of events represented by the flow.; Agnew, Col. 31, lines 4-13 teaches each flow represents a collection of events (or a single event) that have a particular relationship to the two nodes that form the flows endpoints…The size of the flow (also referred to as the width) is indicative of a number of events represented by the flow; Agnew, Col. 31, lines 23-39 further teaches an information block and/or hovering window displays relevant information about the selected flow such as the total count of events in the ;

	displaying the graphical user interface including the visual representation of the one or more paths of the flow diagram (Agnew, Agnew, Col. 14, lines 1-14 teaches GUI engine; Agnew, Figure 12 illustrates interactive graphical user interface displaying a flow diagram (i.e., Sankey diagram) comprising a plurality of paths of the flow diagram;)].

Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the method and system for log stream analysis taught by Gukal, with the event-based data intake and query system comprising data visualizations, as taught by Agnew, in order to address the challenges of analyzing massive quantities of machine data such as system logs and error logs by providing real-time operational intelligence that enables organizations to collect, index, and search machine-generated data from various sources which may be particularly useful for analyzing data commonly found in system log files. (Agnew, Col. 7, lines 56-67 and Col. 8, lines 3-18).



	Regarding claim 16, the combination of Gukal in view of Agnew teaches all of the limitations of claim 15, and Gukal further teaches wherein the branching parameter corresponds to one or more 'flow keys configured to trigger linking a first log message in a first subset of the set of log messages to a second log message in a second subset of the set of log messages when each of the first and second log messages includes the one or more flow keys (Gukal, Paragraph [0025] teaches “a log stream… can be uniquely identified by a compound identifier generated from a combination of the Host ID and the Source ID;  Gukal, Paragraph [0027] further teaches Record IDs; Gukal, Paragraph [0028]-[0029] further teaches data dictionary repository that can function to map unique strings or other terms contained in the records to defined identifiers.; Gukal, Paragraph [0034] teaches similiarity values may be calculated using MinHash values, wherein the calculation may be determined over the Record IDs.; Gukal, Paragraph [0055] further teaches “the correlation operations can determine links between the generated nodes…”).

Motivation to combine same as stated for claim 15.


	Regarding claim 21, the combination of Gukal in view of Agnew teaches all of the limitations of claim 1, and the combination further teaches wherein the at least one visual characteristic is a size of the visual representations of the first bucket, second bucket and the path, and the size of the visual representations are proportional to a particular count of log messages of the one or more counts of log messages (Agnew, Col. 29, lines 58-67, teaches the flow diagram (i.e., Sankey diagram) including various nodes interconnected by one or more flows and further teaches the width of an individual flow can be indicative of the number of events represented by the flow.; Agnew, Col. 31, lines 4-13 teaches each flow represents a collection of events (or a single event) that have a particular relationship to the two nodes that form the flows endpoints…The size of the flow (also referred to as the width) is indicative of a number of events represented by the flow; Agnew, Col. 31, lines 23-39 further teaches an information block and/or hovering window displays relevant information about the selected flow such as the total count of events in the flow.; Agnew, Col. 8, lines 32-46 teaches “when the data source is an operating system log, an event can include one or more lines from the operating system log containing raw data that includes different types of performance and diagnostic information associated with a specific point in time”; Agnew, Col. 8, lines 47-56, teaches machine data generated may include log files, activity log files, and messages.;).
	
	Motivation to combine same as stated for claim 1.


	Regarding claim 22, the combination of Gukal in view of Agnew teaches all of the limitations of claim 1, and the combination further teaches wherein the graphical user interface further includes a visual representation of an extended timeline, the extended timeline comprising a time window corresponding to visual representation of each of the one or more paths of the flow diagram (Agnew, Col. 41, lines 35-41, teaches a user-interactive "timeline" chart (also referred to as simply "timeline") as a visualization of a chart indicative of data.; Agnew, Col. 41, lines 59-67, further teaches search screen of the GUI for the timeline chart also includes a time range picker that enables the user to specify a time range for the search and, for real-time searches, the user can select the size of a preceding time window to search for real-time events.; Agnew, Paragraph Col. 30, lines 16-23, also teaches (with respect to flow diagrams – i.e., Sankey diagrams) time range picker and user-selectable window size for real time searches to search for real-time events.).

	Motivation to combine same as stated for claim 1. 
	

	Regarding claim 23, the combination of Gukal in view of Agnew teaches all of the limitations of claim 1, and the combination further teaches wherein the GUI comprises a Sankey diagram comprising visual representations of each path of the one or more paths of the flow diagram (Agnew, Col. 14, lines 1-14, teaches GUI engine; Agnew, Figure 12 illustrates interactive graphical user interface displaying a flow diagram (i.e., Sankey diagram) comprising a plurality of paths of the flow diagram; Agnew, Col. 29, lines 58-67, teaches the flow diagram (i.e., Sankey diagram) including .
	
Motivation to combine same as stated for claim 1.

Claims 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Gukal et al., in view of Agnew et al., in further view of Mizutani (US 20160063388 A1).  

Regarding claim 3, the combination of Gukal in view of Agnew teaches all of the limitations of claim 2. Although the combination substantially teaches the claimed invention, the combination does not distinctly disclose wherein, for each subset of the set of log messages: defining the one or more paths from the subset to one or more other subsets of the plurality of subsets based on the one or more flow keys, wherein each path of the one or more paths is between two subsets.

Nevertheless, Mizutani teaches wherein, for each subset of the set of log messages: defining the one or more paths from the subset to one or more other subsets of the plurality of subsets based on the one or more flow keys, wherein each path of the one or more paths is between two subsets (Muzutani, Paragraph [0100] teaches handling each log message as a key for obtaining the relationships between log messages and the obtained relationship as a correlation rule.; Mizutani, Paragraph [0101] further teaches a parameter portion including a numerical portion; .

[EXAMINER NOTE: Examiner notes that Agnew does disclose “extraction rules can be applied to all the events in a data store, or to a subset of the events that have been filtered based on some criteria (e.g., event time stamp values, etc.).”].

	Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the method and system for log stream analysis taught by Gukal, as modified by the event-based data intake and query system comprising data visualizations, as taught by Agnew, to further include the ----log message visualization techniques, as taught by Mizutani, in order to enable rapid analysis of causes of problems or troubles that have occurred in computer systems from analyzing log messages and enable to solve the problems promptly. (Mizutani, Paragraphs [0002]-[0009]).



Regarding claim 10, the combination of Gukal in view of Agnew teaches all of the limitations of claim 9. Although the combination substantially teaches the claimed invention, the combination does not distinctly disclose wherein, for each subset of the set of log messages: defining the one or more paths from the subset to one or more other subsets of the plurality of subsets based on the one or more flow keys, wherein each path of the one or more paths is between two subsets.

Nevertheless, Mizutani teaches wherein, for each subset of the set of log messages: defining the one or more paths from the subset to one or more other subsets of the plurality of subsets based on the one or more flow keys, wherein each path of the one or more paths is between two subsets (Muzutani, Paragraph [0100] teaches handling each log message as a key for obtaining the relationships between log messages and the obtained relationship as a correlation rule.; Mizutani, Paragraph [0101] further teaches a parameter portion including a numerical portion; Mizutani, Pargraph [0102] further teaches “visualizing a log message based on a parameter.; Mizutani, Figure 2 illustrates one or more paths from subsets of log messages, and also illustrates each path of the one or more paths between two subsets at 204 and 206).

[EXAMINER NOTE: Examiner notes that Agnew does disclose “extraction rules can be applied to all the events in a data store, or to a subset of the events that have been filtered based on some criteria (e.g., event time stamp values, etc.).”].

	Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the method and system for log stream analysis taught by Gukal, as modified by the event-based data intake and query system 



Regarding claim 17, the combination of Gukal in view of Agnew teaches all of the limitations of claim 16. Although the combination substantially teaches the claimed invention, the combination does not distinctly disclose wherein, for each subset of the set of log messages: defining the one or more paths from the subset to one or more other subsets of the plurality of subsets based on the one or more flow keys, wherein each path of the one or more paths is between two subsets.

Nevertheless, Mizutani teaches wherein, for each subset of the set of log messages: defining the one or more paths from the subset to one or more other subsets of the plurality of subsets based on the one or more flow keys, wherein each path of the one or more paths is between two subsets (Muzutani, Paragraph [0100] teaches handling each log message as a key for obtaining the relationships between log messages and the obtained relationship as a correlation rule.; Mizutani, Paragraph [0101] further teaches a parameter portion including a numerical portion; Mizutani, Pargraph [0102] further teaches “visualizing a log message based on a .

[EXAMINER NOTE: Examiner notes that Agnew does disclose “extraction rules can be applied to all the events in a data store, or to a subset of the events that have been filtered based on some criteria (e.g., event time stamp values, etc.).”].

	Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the method and system for log stream analysis taught by Gukal, as modified by the event-based data intake and query system comprising data visualizations, as taught by Agnew, to further include the ----log message visualization techniques, as taught by Mizutani, in order to enable rapid analysis of causes of problems or troubles that have occurred in computer systems from analyzing log messages and enable to solve the problems promptly. (Mizutani, Paragraphs [0002]-[0009]).

Claims 6 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Gukal et al. in view of Agnew et al., in further view of Puri et al. (US 20150106324 A1).   

	Regarding claim 6, the combination of Gukal in view of Agnew teaches all of the limitations of claim 5, and Gukal further teaches further comprising: 

constructing a first query based on the branching parameter (Gukal, Paragraph [0060] teaches “[t]he type of correlation that is to be performed is determined (block 804), such as by querying a user…”); and 

performing a first query based on the first query string (Gukal, Paragraph [0060] teaches querying; Gukal, Paragraph [0023] further teaches “log stream analysis computer 100 operates to identify records of the log streams within a log repository that contain a defined term. The term may be any portion of a record entry, such as a … string of a record entry…”;), …

Although the combination of Gukal in view of Agnew substantially teaches (or at the least implies) the claimed invention (Gukal, Paragrpah [0023] teaches “…The log stream analysis computer 100 also operates to determine similarity values that indicate an amount of similarity between content of the records containing the defined term,…”; Gukal, Paragraph [0054] teaches correlation between content of records of log streams within the log repository can be determined based on a defined correlation rule and content of the data structure of the term, host and/or source nodes), Puri more clearly and explicitly teaches the limitation the performing of the first query including: filtering the set of log messages using the branching parameter, such that the set of log messages are grouped into one or more buckets based on a distribution of values of the branching parameter, and such that a bucket corresponds to a particular value of the branching parameter and a subset of the set of log messages having the corresponding particular value.

Puri teaches the performing of the first query including: filtering the set of log messages using the branching parameter, such that the set of log messages are grouped into one or more buckets based on a distribution of values of the branching parameter, and such that a bucket corresponds to a particular value of the branching parameter and a subset of the set of log messages having the corresponding particular value (Puri, Paragaph [0026] teaches “filtering”; Puri, Paragraph [0032] teaches “Over time, information that is present in the log file 104 may be mined to link events together, discover time correlated groupings of events or behaviors, and tracked according to frequency of occurrence and frequency of occurrence…The master directed graph generation module 102 may mine and process logs at scale for extraction of relationships (in either full-scale distributed mode or emulation mode), data profiling, filtering, and exploration.” Puri, Paragraph [0021] teaches “A master directed graph decomposition module may process the master directed graph … to decompose the plurality of unique walks into their probability distributions... A graph matching module may determine … a distance difference score and a correlation score for each walk pair of the plurality of walk pairs.”)

	Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the method and system for log stream analysis taught by Gukal, as modified by the event-based data intake and query system comprising data visualizations, as taught by Agnew, to further include the graph decomposition, filtering, correlation, and grouping of events corresponding to analyzed 



Regarding claim 13, the combination of Gukal in view of Agnew teaches all of the limitations of claim 12, and Gukal further teaches further comprising: 

constructing a first query based on the branching parameter (Gukal, Paragraph [0060] teaches “[t]he type of correlation that is to be performed is determined (block 804), such as by querying a user…”); and 

performing a first query based on the first query string (Gukal, Paragraph [0060] teaches querying; Gukal, Paragraph [0023] further teaches “log stream analysis computer 100 operates to identify records of the log streams within a log repository that contain a defined term. The term may be any portion of a record entry, such as a … string of a record entry…”;), …

Although the combination of Gukal in view of Agnew substantially teaches (or at the least implies) the claimed invention (Gukal, Paragrpah [0023] teaches “…The log stream analysis computer 100 also operates to determine similarity values that indicate an amount of similarity between content of the records containing the defined term,…”; Gukal, Paragraph [0054] teaches correlation between content of records of log streams the performing of the first query including: filtering the set of log messages using the branching parameter, such that the set of log messages are grouped into one or more buckets based on a distribution of values of the branching parameter, and such that a bucket corresponds to a particular value of the branching parameter and a subset of the set of log messages having the corresponding particular value.

Puri teaches the performing of the first query including: filtering the set of log messages using the branching parameter, such that the set of log messages are grouped into one or more buckets based on a distribution of values of the branching parameter, and such that a bucket corresponds to a particular value of the branching parameter and a subset of the set of log messages having the corresponding particular value (Puri, Paragaph [0026] teaches “filtering”; Puri, Paragraph [0032] teaches “Over time, information that is present in the log file 104 may be mined to link events together, discover time correlated groupings of events or behaviors, and tracked according to frequency of occurrence and frequency of occurrence…The master directed graph generation module 102 may mine and process logs at scale for extraction of relationships (in either full-scale distributed mode or emulation mode), data profiling, filtering, and exploration.” Puri, Paragraph [0021] teaches “A master directed graph decomposition module may process the master directed graph … to decompose the plurality of unique walks into their probability 

	Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the method and system for log stream analysis taught by Gukal, as modified by the event-based data intake and query system comprising data visualizations, as taught by Agnew, to further include the graph decomposition, filtering, correlation, and grouping of events corresponding to analyzed log files, as taught by Puri, in order to determine correlations among log stream records in a fast and intuitive manner. (Puri, Paragraph [0004]). 


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BEATRIZ RAMIREZ BRAVO whose telephone number is 571-272-2156. The examiner can normally be reached Mon. - Fri. 7:30a.m.-5:00p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALEXEY SHMATOV can be reached on 571-270-3428. The fax phone 
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/B.R.B./Examiner, Art Unit 2123                                                                                                                                                                                                        
/ALEXEY SHMATOV/Supervisory Patent Examiner, Art Unit 2123