DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/07/2021 has been entered.
The e-Terminal Disclaimer to obviate the nonstatutory double patenting rejection over US Patent No. 10523521 has been received and approved by the office on 12/07/2021.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-5, 18-20, 23, and 29-30 are rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Malloy (US 20070067450 A1), and further in view of Hastwell (US 8958318 B1).

receiving input defining an ephemeral event stream to be generated by a remote capture agent, the input indicating: ([0034]: The network testing system 200 may include collectors 210 to capture, to collect, to filter and to perform other operations on network traffic collected from network 260. The collectors 210 may produce network traffic data. The collectors may be coupled to and pass collected and filtered network traffic data and/or the network traffic to the characterization units 220. [0036]: The triggers may specify events (e.g. event streams) that cause the collectors 210 to begin or cease capturing network traffic. [0046]: The manager 250 may provide an interface (e.g. a graphical user interface) to allow a user to create and/or modify filters (e.g. the configuration information) to be used by the collectors (e.g. remote capture agent).)
a search query to be executed against timestamped event data generated by the remote capture agent based on the network traffic monitored by the remote capture agent, ([0036]: The triggers may be a pattern or rule specifying a portion of a network address or other identifying information included in a data unit.)
an identifier of a network protocol used by network packets from which the ephemeral event stream is to be generated, and ([0045]: The filters may be used for various purposes, such as, for example, to restrict the collected network traffic based on the source or destination addresses, the protocols, or any other data fields specified in the data units.)
an amount of time the remote capture agent is to generate event data to be included in the ephemeral event stream; ([0036]: The constraints may include a “start trigger” and a “stop trigger”. The triggers may specify events that cause the collectors 210 to begin or cease capturing network traffic. The triggers may also be set based on time constraints such that network data is captured over a system or user defined period of time (e.g., 3 minutes, 30 minutes, 3 hours).)
generating, based on the input, configuration information that includes settings to be used by the remote capture agent to generate the ephemeral event stream; and ([0045]: The filters 212 may be system defined and/or user-defined. The filters 212 may be used for various purposes, such as, for example, to restrict the collected network traffic based on the source or destination addresses, the protocols, or any other data fields specified in the data units. Filters 212 may be used to limit data collection to specific network traffic patterns. [0046]: The manager 250 may provide an interface to allow a user to create and/or modify filters (e.g. generate configuration information) 212 to be used by the collectors (e.g. used by the remote capture agent) 210. [0036]: user defined constraints. The constraints may include a “start trigger” and a “stop trigger”. The triggers may specify events that cause the collectors to begin or cease capturing network traffic (e.g. in response to detection of a respective trigger condition).)
sending, via the network, the configuration information to the remote capture agent. ([0085]: A user interface may be provided that allows a user to define network traffic filters and specify the network traffic analysis to be performed, as shown in block 670. The user defined network traffic filters may be received, as shown in block 674. The user defined network traffic filters may then be used when collecting data units (e.g. transmitted to remote capture agent) from the network at block 610, to filter the collected data units at block 614 and to obtain pertinent information from the collected data units at block 616.)

However, Malloy teaches to generate timestamped event data, ([0018]: on-demand mode wherein the capturing of network traffic is explicitly started and stopped by a user or some predefined triggering event. [0037]: the capture server would simply record timestamps at each selection of a start and stop command. After a stop command, the notification utility would then notify the capture agents to create snapshots of data corresponding to the time between the recorded timestamps.)
wherein the timestamped event data is generated by the remote capture agent based on the network packets monitored by the remote capture agent. ([0004]: A capture agent is a network monitoring tool, commonly referred to as a “sniffer” or “protocol analyzer”, that is used to capture network traffic data. Multiple capture agents can be placed at various points within a network and are configured to monitor the traffic flowing through those points.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin to include above limitation. One would have been motivated to do so because many of the prior art approaches for addressing network application performances issues involve the use of capture agents. A capture agent is a network monitoring tool, commonly referred to as a “sniffer” or “protocol analyzer”, that is used to capture network traffic data. Multiple capture agents can be placed at various points within a network and are configured to monitor the traffic flowing through those points. The captured data can then be analyzed by application developers or expert troubleshooters to improve an 
Dugatkin and Malloy do not explicitly disclose wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment, and wherein identification of at least one timestamped event satisfying the search query causes the remote capture agent to generate the ephemeral event stream.
However, Hastwell teaches wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment, and wherein identification of at least one timestamped event satisfying the search query causes the remote capture agent to generate the ephemeral event stream. (Fig. 4. Col 1 lines 53-57: The network flow is monitored for the occurrence of at least one predetermined triggering event. In response to detecting the triggering event, at least a portion of one or more of the packets received after the triggering event is captured. Col 4 lines 17-29: Example detectable triggering events (e.g. security incident) may include, for example, Address Resolution Protocol (ARP) inspection violations (e.g., dynamic ARP inspection (DAI) violations), Dynamic Host Configuration Protocol (DHCP) snooping violations, Internet Protocol (IP) spoofing attacks (e.g., IP Source Guard violations), port security violations, etc.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin and Malloy to include above limitation. One would have been motivated to do so because there are large amount of data flow through the network, it is impossible to capture all events. Thus, it make sense to detect the occurrence of a network event that indicates a desire to begin the capture of actual data. The detected event is 

Regarding claim 2, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin teaches wherein the remote capture agent generates the ephemeral event stream based on the configuration information. ([0085]: The user defined network traffic filters may be received, as shown in block 674. The user defined network traffic filters may then be used when collecting data units (e.g. transmitted to remote capture agent) from the network at block 610, to filter the collected data units at block 614 and to obtain pertinent information from the collected data units at block 616.)

Regarding claim 3, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin teaches wherein the method further comprises: receiving second input defining a second ephemeral event stream to be generated by the remote capture agent; updating, based on the second input, the configuration information to include second settings to be used by the remote capture agent to generate the second ephemeral event stream; and sending, via the network, the configuration information including the second settings to the remote capture agent. ([0036]: The collectors 210 may review, capture and otherwise obtain network traffic and network traffic data in capture groups. A “capture group” is a group of data units or network traffic data concerning the data units which may be collected according to system defined and/or user defined constraints. [0048]: In a successive refinement, a second capture group (e.g. a second ephemeral event stream) 330 may include all of the TCP data units 326, including FTP data units 332, HTTP data units 334, SMTP data units 336 and other data units 338.)

Regarding claim 4, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin teaches wherein the input defining the ephemeral event stream further indicates at least one of a name for the ephemeral event stream, a description of the ephemeral event stream, or an identifier of an existing event stream from which to clone the ephemeral event stream. ([0036]: A “capture group” is a group of data units or network traffic data concerning the data units which may be collected according to system defined and/or user defined constraints. The start trigger may be set to be a particular kind of data unit, may be a particular network address specified as a source and/or destination address in a data unit, may be a data rate of the network traffic, and others.)

Regarding claim 5, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin teaches causing display of a graphical user interface (GUI) including event stream information for the ephemeral event stream, wherein the event stream information for the ephemeral event stream includes at least one of: a name of the ephemeral event stream, a number of instances of the ephemeral event stream, an application associated with the ephemeral event stream, a start time of the ephemeral event stream, an end time of the ephemeral event stream, a time remaining for generation of event data associated with the ephemeral event stream, or a status of the ephemeral event stream. ([0081]: A network traffic analysis specification provided by a user may be received. The network traffic analysis specification may specify various characteristics of the network traffic the user wishes to have analyzed. The network traffic analysis specification may include commands or instructions that cause the network traffic characterization to include information concerning source and destination addresses, data unit data unit source programs (e.g. specific to an application), and others. [0088]: The network traffic characterization may be communicated to or made available to a traffic generator and/or displayed to a user, as shown in block 660.)

Regarding claim 18, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin teaches wherein the method further comprises receiving second input used to filter display of a plurality of ephemeral event streams including the ephemeral event stream. ([0034]: The manager may provide a user interface to allow a user to view network traffic data; to select, edit and/or create filters.)

Regarding claim 19, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin teaches causing display of a graphical user interface (GUI) including event stream information related to at least one permanent event stream and the ephemeral event stream. ([0081]: A network traffic analysis specification provided by a user may be received. The network traffic analysis specification may specify various characteristics of the network traffic the user wishes to have analyzed. The network traffic analysis specification may include commands or instructions that cause the network traffic characterization to include information concerning source and destination addresses, data unit types and subtypes, data unit protocols, port identifiers, data unit source programs (e.g. specific to an application), and others. [0088]: The network traffic characterization may be communicated to or made available to a traffic generator and/or displayed to a user, as shown in block 660.)


Dugatkin teaches causing display of a graphical user interface (GUI) including event stream information for the ephemeral event stream, the event stream information including a description of a capture trigger that caused generation of the ephemeral event stream. ([0036]: The triggers may specify events that cause the collectors to begin or cease capturing network traffic. The start trigger may be set to be a particular kind of data unit, may be a particular network address specified as a source and/or destination address in a data unit, may be a data rate of the network traffic, and others.)

Regarding claim 23, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin teaches wherein the input defining the ephemeral event stream is received via a graphical user interface (GUI). ([0046]: The manager 250 may provide an interface (e.g. a graphical user interface) to allow a user to create and/or modify filters (e.g. the configuration information) to be used by the collectors (e.g. remote capture agent).)

Regarding claim 29, Dugatkin teaches an apparatus, comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the apparatus to: 
receiving input defining an ephemeral event stream to be generated by a remote capture agent, the input indicating: ([0034]: The network testing system 200 may include collectors 210 to capture, to collect, to filter and to perform other operations on network traffic collected from network 260. The collectors 210 may produce network traffic data. The collectors may be coupled to and pass collected and filtered network traffic data and/or the network traffic to the specify events (e.g. event streams) that cause the collectors 210 to begin or cease capturing network traffic. [0046]: The manager 250 may provide an interface (e.g. a graphical user interface) to allow a user to create and/or modify filters (e.g. the configuration information) to be used by the collectors (e.g. remote capture agent).)
a search query to be executed against timestamped event data generated by the remote capture agent based on the network traffic monitored by the remote capture agent, ([0036]: The triggers may be a pattern or rule specifying a portion of a network address or other identifying information included in a data unit.)
an identifier of a network protocol used by network packets from which the ephemeral event stream is to be generated, and ([0045]: The filters may be used for various purposes, such as, for example, to restrict the collected network traffic based on the source or destination addresses, the protocols, or any other data fields specified in the data units.)
an amount of time the remote capture agent is to generate event data to be included in the ephemeral event stream; ([0036]: The constraints may include a “start trigger” and a “stop trigger”. The triggers may specify events that cause the collectors 210 to begin or cease capturing network traffic. The triggers may also be set based on time constraints such that network data is captured over a system or user defined period of time (e.g., 3 minutes, 30 minutes, 3 hours).)
generating, based on the input, configuration information that includes settings to be used by the remote capture agent to generate the ephemeral event stream; and ([0045]: The filters 212 may be system defined and/or user-defined. The filters 212 may be used for various purposes, such as, for example, to restrict the collected network traffic based on the source or destination addresses, the protocols, or any other data fields specified in the data units. Filters 212 may be used to limit data collection to specific network traffic patterns. [0046]: The manager 250 may provide an interface to allow a user to create and/or modify filters (e.g. generate configuration information) 212 to be used by the collectors (e.g. used by the remote capture agent) 210. [0036]: user defined constraints. The constraints may include a “start trigger” and a “stop trigger”. The triggers may specify events that cause the collectors to begin or cease capturing network traffic (e.g. in response to detection of a respective trigger condition).)
sending, via the network, the configuration information to the remote capture agent. ([0085]: A user interface may be provided that allows a user to define network traffic filters and specify the network traffic analysis to be performed, as shown in block 670. The user defined network traffic filters may be received, as shown in block 674. The user defined network traffic filters may then be used when collecting data units (e.g. transmitted to remote capture agent) from the network at block 610, to filter the collected data units at block 614 and to obtain pertinent information from the collected data units at block 616.)
Dugatkin does not explicitly disclose to generate timestamped event data, wherein the timestamped event data is generated by the remote capture agent based on the network packets monitored by the remote capture agent.
However, Malloy teaches to generate timestamped event data, ([0018]: on-demand mode wherein the capturing of network traffic is explicitly started and stopped by a user or some predefined triggering event. [0037]: the capture server would simply record timestamps at each selection of a start and stop command. After a stop command, the notification utility would then 
wherein the timestamped event data is generated by the remote capture agent based on the network packets monitored by the remote capture agent. ([0004]: A capture agent is a network monitoring tool, commonly referred to as a “sniffer” or “protocol analyzer”, that is used to capture network traffic data. Multiple capture agents can be placed at various points within a network and are configured to monitor the traffic flowing through those points.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin to include above limitation. One would have been motivated to do so because many of the prior art approaches for addressing network application performances issues involve the use of capture agents. A capture agent is a network monitoring tool, commonly referred to as a “sniffer” or “protocol analyzer”, that is used to capture network traffic data. Multiple capture agents can be placed at various points within a network and are configured to monitor the traffic flowing through those points. The captured data can then be analyzed by application developers or expert troubleshooters to improve an application's performance or resolve network or application problems. As taught by Malloy, [0004].
Dugatkin and Malloy do not explicitly disclose wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment, and wherein identification of at least one timestamped event satisfying the search query causes the remote capture agent to generate the ephemeral event stream.
However, Hastwell teaches wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment, and wherein identification of Address Resolution Protocol (ARP) inspection violations (e.g., dynamic ARP inspection (DAI) violations), Dynamic Host Configuration Protocol (DHCP) snooping violations, Internet Protocol (IP) spoofing attacks (e.g., IP Source Guard violations), port security violations, etc.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin and Malloy to include above limitation. One would have been motivated to do so because there are large amount of data flow through the network, it is impossible to capture all events. Thus, it make sense to detect the occurrence of a network event that indicates a desire to begin the capture of actual data. The detected event is referred to herein as a network event of interest or triggering event. As taught by Hastwell, Col 2 lines 40-54.

Regarding claim 30, Dugatkin teaches a non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform operations for facilitating processing of network data, the operations comprising: 
receiving input defining an ephemeral event stream to be generated by a remote capture agent, the input indicating: ([0034]: The network testing system 200 may include collectors 210 to capture, to collect, to filter and to perform other operations on network traffic collected specify events (e.g. event streams) that cause the collectors 210 to begin or cease capturing network traffic. [0046]: The manager 250 may provide an interface (e.g. a graphical user interface) to allow a user to create and/or modify filters (e.g. the configuration information) to be used by the collectors (e.g. remote capture agent).)
a search query to be executed against timestamped event data generated by the remote capture agent based on the network traffic monitored by the remote capture agent, ([0036]: The triggers may be a pattern or rule specifying a portion of a network address or other identifying information included in a data unit.)
an identifier of a network protocol used by network packets from which the ephemeral event stream is to be generated, and ([0045]: The filters may be used for various purposes, such as, for example, to restrict the collected network traffic based on the source or destination addresses, the protocols, or any other data fields specified in the data units.)
an amount of time the remote capture agent is to generate event data to be included in the ephemeral event stream; ([0036]: The constraints may include a “start trigger” and a “stop trigger”. The triggers may specify events that cause the collectors 210 to begin or cease capturing network traffic. The triggers may also be set based on time constraints such that network data is captured over a system or user defined period of time (e.g., 3 minutes, 30 minutes, 3 hours).)
filters 212 may be system defined and/or user-defined. The filters 212 may be used for various purposes, such as, for example, to restrict the collected network traffic based on the source or destination addresses, the protocols, or any other data fields specified in the data units. Filters 212 may be used to limit data collection to specific network traffic patterns. [0046]: The manager 250 may provide an interface to allow a user to create and/or modify filters (e.g. generate configuration information) 212 to be used by the collectors (e.g. used by the remote capture agent) 210. [0036]: user defined constraints. The constraints may include a “start trigger” and a “stop trigger”. The triggers may specify events that cause the collectors to begin or cease capturing network traffic (e.g. in response to detection of a respective trigger condition).)
sending, via the network, the configuration information to the remote capture agent. ([0085]: A user interface may be provided that allows a user to define network traffic filters and specify the network traffic analysis to be performed, as shown in block 670. The user defined network traffic filters may be received, as shown in block 674. The user defined network traffic filters may then be used when collecting data units (e.g. transmitted to remote capture agent) from the network at block 610, to filter the collected data units at block 614 and to obtain pertinent information from the collected data units at block 616.)
Dugatkin does not explicitly disclose to generate timestamped event data, wherein the timestamped event data is generated by the remote capture agent based on the network packets monitored by the remote capture agent.
However, Malloy teaches to generate timestamped event data, ([0018]: on-demand mode wherein the capturing of network traffic is explicitly started and stopped by a user or some 
wherein the timestamped event data is generated by the remote capture agent based on the network packets monitored by the remote capture agent. ([0004]: A capture agent is a network monitoring tool, commonly referred to as a “sniffer” or “protocol analyzer”, that is used to capture network traffic data. Multiple capture agents can be placed at various points within a network and are configured to monitor the traffic flowing through those points.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin to include above limitation. One would have been motivated to do so because many of the prior art approaches for addressing network application performances issues involve the use of capture agents. A capture agent is a network monitoring tool, commonly referred to as a “sniffer” or “protocol analyzer”, that is used to capture network traffic data. Multiple capture agents can be placed at various points within a network and are configured to monitor the traffic flowing through those points. The captured data can then be analyzed by application developers or expert troubleshooters to improve an application's performance or resolve network or application problems. As taught by Malloy, [0004].
Dugatkin and Malloy do not explicitly disclose wherein timestamped event data satisfying the search query indicates a potential security incident in a computing environment, and wherein identification of at least one timestamped event satisfying the search query causes the remote capture agent to generate the ephemeral event stream.
Address Resolution Protocol (ARP) inspection violations (e.g., dynamic ARP inspection (DAI) violations), Dynamic Host Configuration Protocol (DHCP) snooping violations, Internet Protocol (IP) spoofing attacks (e.g., IP Source Guard violations), port security violations, etc.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin and Malloy to include above limitation. One would have been motivated to do so because there are large amount of data flow through the network, it is impossible to capture all events. Thus, it make sense to detect the occurrence of a network event that indicates a desire to begin the capture of actual data. The detected event is referred to herein as a network event of interest or triggering event. As taught by Hastwell, Col 2 lines 40-54.

Claims 6-8 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Malloy (US 20070067450 A1), and in view of Hastwell (US 8958318 B1), and further in view of Cartsonis (US 6584501 B1).
Regarding claim 6, Dugatkin, Malloy and Hastwell teach the method of claim 1.

However, Cartsonis teaches causing display of a graphical user interface (GUI) including an interface element that, upon selection, causes an action to be applied to a set of user-selected ephemeral event streams. (Fig. 5. Col 2 line 54-57: The user interface of the present invention makes clear the interdependence among different parts of a networked application, and facilitates thread grouping in an interactive, dynamic manner. The user is also able to quickly narrow down an area of interest by zooming. Col 3 line 3-4: The method may also implement thread grouping (e.g. an action associated with managing the one or more ephemeral event streams to a set of 3 selected ephemeral event streams) as specified by the user.) 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin, Malloy and Hastwell. One would have been motivated to do so because it is desirable to perform thread grouping based on protocol-specific, application level, or user specification for easy navigation or analysis. As taught by Cartsonis, Col 2 line 42-Col 3 line 4.

Regarding claim 7, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin, Malloy and Hastwell do not explicitly disclose wherein the method further comprises: receiving second input selecting a set of ephemeral event streams including the ephemeral event stream; and causing display of a graphical user interface (GUI) including event stream information for the set of ephemeral event streams. 
thread grouping (e.g. an action associated with managing the one or more ephemeral event streams to a set of 3 selected ephemeral event streams) as specified by the user.) 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin, Malloy and Hastwell. One would have been motivated to do so because it is desirable to perform thread grouping based on protocol-specific, application level, or user specification for easy navigation or analysis. As taught by Cartsonis, Col 2 line 42-Col 3 line 4.

Regarding claim 8, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin, Malloy and Hastwell do not explicitly disclose wherein the method further comprises: receiving second input selecting a set of ephemeral event streams including the ephemeral event stream, wherein the input selecting the set of ephemeral event streams is based on an event stream attribute, and wherein the event stream attribute is at least one of: a category associated with the set of ephemeral event streams, a protocol used by network packets associated with the set of ephemeral event streams, an application used to create the set of ephemeral event streams, or an event stream lifecycle associated with the set of ephemeral event 
However, Cartsonis teaches wherein the method further comprises: receiving second input selecting a set of ephemeral event streams including the ephemeral event stream, wherein the input selecting the set of ephemeral event streams is based on an event stream attribute, and wherein the event stream attribute is at least one of: a category associated with the set of ephemeral event streams, a protocol used by network packets associated with the set of ephemeral event streams, an application used to create the set of ephemeral event streams, or an event stream lifecycle associated with the set of ephemeral event streams; and causing display of a graphical user interface (GUI) including event stream information for the set of ephemeral event streams. (Fig. 5. Col 2 line 5-8: The present invention determines which packets belong in a particular thread by analyzing the stream of packets and making a protocol-specific determination of the packets that should be grouped together. Col 2 line 58-60: The present invention thus facilitates analysis of packet-level operational characteristics in a packet trace that groups packets in coherent, application-level structure.) 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin, Malloy and Hastwell. One would have been motivated to do so because it is desirable to perform thread grouping based on protocol-specific, application level, or user specification for easy navigation or analysis. As taught by Cartsonis, Col 2 line 42-Col 3 line 4.

Regarding claim 16, Dugatkin, Malloy and Hastwell teach the method of claim 1.

However, Cartsonis teaches causing display of a graphical user interface (GUI) including: event stream information for the ephemeral event stream, and an interface element used to navigate between the event stream information and creation information for a creator of the ephemeral event stream. (Fig. 2-5: GUI that allow user to navigating between different threads (e.g. event stream), groups, and display the threads/groups by server or client (e.g. creators).)  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin and Malloy. One would have been motivated to do so because a server node may be serving numerous different client nodes at the same time, and thus have a distinct thread occurring with each of the clients, with the packets being serially transmitted and received by the server node belonging to these many different threads. It is desirable to be able to navigate between the event stream and creators to analysis the correlations between event streams. As taught by Carsonis, Col 2 line 21-25.

Regarding claim 17, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin, Malloy and Hastwell do not explicitly disclose causing display of a graphical user interface (GUI) including: event stream information for the ephemeral event stream, and an interface element for navigating between the event stream information and creation information for a creator of the ephemeral event stream, wherein the creator of the ephemeral event stream is at least one of: an application for monitoring network traffic captured by the remote capture 
However, Cartsonis teaches causing display of a graphical user interface (GUI) including: event stream information for the ephemeral event stream, and an interface element for navigating between the event stream information and creation information for a creator of the ephemeral event stream, wherein the creator of the ephemeral event stream is at least one of: an application for monitoring network traffic captured by the remote capture agent, or a capture trigger for generating additional timestamped event data from the network packets based on a security risk. (Col 4 line 6-8: A thread is defined as some collection of individual packets that relate to a particular transaction or other application-level event. Col 6 line 64-Col 7 line 5: Thread analysis 702 includes performing conventional protocol decoding techniques, and then examining individual packets to determine which packets constitute a thread, as defined in relation to a specific application being analyzed. For each application, threads are defined as some significant application-level type of event that occurs in the course of the application.)  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin, Malloy and Hastwell. One would have been motivated to do so because in many situations, analysis of application-level behavior is desired. In addition, existing technique fails to provide any easy-to-use graphical user interface for viewing application-level protocol analysis data. What is needed is a method and user interface for displaying network performance and protocol analysis results in a coherent and visually understandable manner. What is further needed is a method and user interface for accurately providing application-level protocol analysis without requiring time-consuming analysis of packet-level trace information. As taught by Carsonis, Col 1 line 23-49.

Claims 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Malloy (US 20070067450 A1), and in view of Hastwell (US 8958318 B1), and further in view of Moran (US 7299277 B1).
Regarding claim 9, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin, Malloy and Hastwell do not explicitly disclose wherein the method further comprises: receiving input requesting to delete the ephemeral event stream; and sending, via the network, instructions to the remote capture agent to delete the ephemeral event stream. 
However, Moran teaches wherein the method further comprises: receiving input requesting to delete the ephemeral event stream; and sending, via the network, instructions to the remote capture agent to delete the ephemeral event stream. (Fig. 30. Col 31 Table 38: Storing capture data for post-capture analysis by a sniffer, etc. Col 16 line 54-55: The event server provides operations for creating, deleting, enabling and disabling event groups. Col 17 line 48-49: The alarms server provides operations for creating, deleting, enabling and disabling alarm groups. Col 70 Table 111: Application Monitoring events associated with creation, change of state, or deletion of monitoring objects.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin, Malloy and Hastwell. One would have been motivated to do so because it is common practice to allow user to delete old or obsolete event data for free up available space and easy navigation.

Regarding claim 10, Dugatkin, Malloy and Hastwell teach the method of claim 1.

However, Moran teaches wherein the method further comprises: receiving input requesting to disable the ephemeral event stream; and sending, via the network, instructions to the remote capture agent to disable the ephemeral event stream. (Fig. 30. Col 31 Table 38: Storing capture data for post-capture analysis by a sniffer, etc. Col 16 line 54-55: The event server provides operations for creating, deleting, enabling and disabling event groups. Col 17 line 48-49: The alarms server provides operations for creating, deleting, enabling and disabling alarm groups. Col 70 Table 111: Application Monitoring events associated with creation, change of state, or deletion of monitoring objects.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin, Malloy and Hastwell. One would have been motivated to do so because it is common practice to allow user to disable outdated event capture rules for saving the processing power and bandwidth.

Claims 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Malloy (US 20070067450 A1), and in view of Hastwell (US 8958318 B1), and further in view of Durham (US 7954109 B1).
Regarding claim 11, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin, Malloy and Hastwell do not explicitly disclose causing display of a graphical user interface (GUI) including event stream information, the event stream information including information related to a plurality of ephemeral event streams including the ephemeral event 
However, Durham teaches causing display of a graphical user interface (GUI) including event stream information, the event stream information including information related to a plurality of ephemeral event streams including the ephemeral event stream; and sorting the event stream information by an event stream attribute associated with each of the plurality of ephemeral event streams. (Col 4 line 8-11: Each of the captured data events is timestamped in correspondence with a predetermined clock. The captured and timestamped data events are then sorted according to their respective clock timestamps.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin, Malloy and Hastwell. One would have been motivated to do so because in a system that employs multiple transmission protocols, the protocol-based timestamping of multiple captured data events can make it difficult to make accurate and reliable determinations as to absolute and relative data event lengths, and data event start and finish times. As a result, the ability to identify temporal relationships between data events, such as is required to facilitate time-based sorting and analysis of those data events, may be compromised. What is needed are systems and methods for time based sorting and display of captured data events, each of which may be associated with a different transmission protocol, in such a way that temporal and causal relationships between and among the captured data events can be reliably and accurately identified. As taught by Durham, Col 3 line 43-61.

Regarding claim 12, Dugatkin, Malloy and Hastwell teach the method of claim 1.

However, Durham teaches causing display of a graphical user interface (GUI) including event stream information, the event stream information including information related to a plurality of ephemeral event streams including the ephemeral event stream; and sorting the event stream information by an event stream attribute associated with each ofthe plurality of ephemeral event streams, wherein the event stream attribute is at least one of a name associated with each ephemeral event stream of the plurality of ephemeral event streams, a number of ephemeral event streams in the plurality of ephemeral event streams, an application used to create each of the ephemeral event streams of the plurality of ephemeral event streams, a start time associated with each ephemeral event stream of the plurality of ephemeral event streams, an end time associated with each ephemeral event stream of the plurality of ephemeral event 76 Attorney Docket No. 1015SP0055.12US.C5streams, an 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin, Malloy and Hastwell. One would have been motivated to do so because in a system that employs multiple transmission protocols, the protocol-based timestamping of multiple captured data events can make it difficult to make accurate and reliable determinations as to absolute and relative data event lengths, and data event start and finish times. As a result, the ability to identify temporal relationships between data events, such as is required to facilitate time-based sorting and analysis of those data events, may be compromised. What is needed are systems and methods for time based sorting and display of captured data events, each of which may be associated with a different transmission protocol, in such a way that temporal and causal relationships between and among the captured data events can be reliably and accurately identified. As taught by Durham, Col 3 line 43-61.

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Malloy (US 20070067450 A1), and in view of Hastwell (US 8958318 B1), and further in view of Oda (US 20160330086 A1).
Regarding claim 13, Dugatkin, Malloy and Hastwell teach the method of claim 1.

However, Oda teaches wherein the method further comprises receiving second input modifying an end time for terminating the generation of the timestamped event data to be included in the ephemeral event stream, ([0043]: It is noted that times t1, t2, and t3 may be input by a user from a time-range input screen, which is one of the screens displayed in a data collection server 200, or may be input from an external application.)
wherein modifying the end time includes one of: extending the end time, or reducing the end time. ([0077]: In a process relating to a time range over which data on a network packet is acquired, the time-range change part 113 sets or changes (e.g. modifying an end time), where necessary, times t1 to t3 input by an external application or a user via a time-range input screen of the data collection server 200.) It is common knowledge that when you make change to the time range, it is either extending or reducing the time range.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin, Malloy and Hastwell. One would have been motivated to do so because some events may require longer capture time because its complexity or criticality, such as an attempted security breach or attack. It is desirable for an interface for inputting a time range of the times t1 to t3 and inputting data-collection-destination base information, to a user or an application so that a collection rage of the packet collection target data and the data collection destination can be defined or changed. As taught by Oda, [0091].

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Malloy (US 20070067450 A1), and in view of Hastwell (US 8958318 B1), and further in view of Claudatos (US 20080159146 A1).
Regarding claim 14, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin, Malloy and Hastwell do not explicitly disclose further comprising: receiving a search query including one or more search criteria; executing the search query to identify one or more ephemeral event streams satisfying the one or more search criteria. 
However, Claudatos teaches further comprising: receiving a search query including one or more search criteria; executing the search query to identify one or more ephemeral event streams satisfying the one or more search criteria. ([0040]: Various methods and formats may be used for logging data derived from the network traffic (e.g. events). The database may be used to contain records where each record could contain the traffic file itself (such as a .cap, .pcap file, etc.) and all the relevant data (e.g. can include the events of the ephemeral event streams) as well as additional data derived and/or extracted from the traffic itself so that the record can be easily searched.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin, Malloy and Hastwell. One would have been motivated to do so because even if the entire traffic data were retained, there is no method to efficiently and effectively search the data. There is a need, therefore, for an improved method, article of manufacture, and apparatus for monitoring network traffic. As taught by Claudatos, [0004]-[0005].

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Malloy (US 20070067450 A1), and in view of Hastwell (US 8958318 B1), and further in view of Seering (US 20150178342 A1).
Regarding claim 15, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin, Malloy and Hastwell do not explicitly disclose wherein timestamped events in the ephemeral event stream are searchable using a late-binding schema. 
However, Seering teaches wherein timestamped events in the ephemeral event stream are searchable using a late-binding schema. ([0010]: the user-defined logic may be registered with the database meta-data, such that the loading of the data may be deferred to query time, which is also known as “late binding.” In one regard, late binding enables federated use of the user-defined data sources, for instance, the ability to run SQL queries directly over data stored in HDFS. In addition, the user may define the user-defined policy to dynamically transition between immediate loading of the data onto the database and late binding.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitations into Dugatkin, Malloy and Hastwell. One would have been motivated to do so because late binding is well known method used for query database. In one regard, late binding enables federated use of the user-defined data sources, for instance, the ability to run SQL queries directly over data stored in HDFS. As taught by Seering, [0010].

Claims 21-22 and 25-26 are rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Malloy (US 20070067450 A1), and in view of Hastwell (US 8958318 B1), and further in view of Tamayo (US 20140279824 A1).

Dugatkin, Malloy and Hastwell do not explicitly disclose causing display of a graphical user interface (GUI) including a visualization of a metric related to the ephemeral event stream.
However, Tamayo teaches causing display of a graphical user interface (GUI) including a visualization of a metric related to the ephemeral event stream. (Fig 1 and Fig 7)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin, Malloy and Hastwell to include above limitation. One would have been motivated to do so because in order to be able to efficiently present snapshots of the multidimensional data to the user so that the user can visualize the data. As taught by Tomayo, [0002]-[0004].

Regarding claim 22, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin, Malloy and Hastwell do not explicitly disclose further comprising causing display of a graphical user interface (GUI) including event stream information for a plurality of ephemeral event streams, the event stream information including a plurality of inline visualizations of a metric associated with each of the plurality of ephemeral event streams.
However, Tamayo teaches further comprising causing display of a graphical user interface (GUI) including event stream information for a plurality of ephemeral event streams, the event stream information including a plurality of inline visualizations of a metric associated with each of the plurality of ephemeral event streams. (Fig 1 and Fig 7)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin, Malloy and Hastwell to include above limitation. One would have been motivated to do so because in order to be able to efficiently 

Regarding claim 25, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin, Malloy and Hastwell do not explicitly disclose causing display of a graphical user interface (GUI) including event stream information for a plurality of ephemeral event streams including the ephemeral event stream, the event stream information including an aggregated metric for the plurality of ephemeral event streams.
However, Tamayo teaches causing display of a graphical user interface (GUI) including event stream information for a plurality of ephemeral event streams including the ephemeral event stream, the event stream information including an aggregated metric for the plurality of ephemeral event streams. ([0080]: The expression of indicator causes the time-sensitive cube data system to sum or aggregate the total loan value of loans within the respective dimensions.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin, Malloy and Hastwell to include above limitation. One would have been motivated to do so because in order to be able to efficiently present snapshots of the multidimensional data to the user so that the user can visualize the data. As taught by Tomayo, [0002]-[0004].

Regarding claim 26, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin, Malloy and Hastwell do not explicitly disclose causing display of a graphical user interface (GUI) including a graph of a metric associated with the ephemeral event stream, 
However, Tamayo teaches causing display of a graphical user interface (GUI) including a graph of a metric associated with the ephemeral event stream, wherein the graph of 78 Attorney Docket No. 1015SP0055.12US.C5the metric is updated as additional timestamped event data associated with the ephemeral event stream is received. ([0080]: The expression of indicator causes the time-sensitive cube data system to sum or aggregate the total loan value of loans within the respective dimensions.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin, Malloy and Hastwell to include above limitation. One would have been motivated to do so because in order to be able to efficiently present snapshots of the multidimensional data to the user so that the user can visualize the data. As taught by Tomayo, [0002]-[0004].

Claim 24 is rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Malloy (US 20070067450 A1), and in view of Hastwell (US 8958318 B1), and further in view of Njemanze (US 8365278 B1).
Regarding claim 24, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin, Malloy and Hastwell do not explicitly disclose causing display of a graphical user interface (GUI) including event stream information for the ephemeral event stream, the event stream information including an indication of a number of notable events associated with the ephemeral event stream.
However, Njemanze teaches causing display of a graphical user interface (GUI) including event stream information for the ephemeral event stream, the event stream information including a count of the total number of such alerts to the manager)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin, Malloy and Hastwell to include above limitation. One would have been motivated to do so because Regardless of whether a host-based or a network-based implementation is adopted and whether that implementation is knowledge-based or behavior-based, an intrusion detection system is only as useful as its ability to discriminate between normal system usage and true intrusions (accompanied by appropriate alerts). Accordingly, what is needed is a system that can provide accurate and timely intrusion detection and alert generation so as to effectively combat attempts to compromise a computer network or system. As taught by Njemanze, Column 2 lines 10-23.

Claim 27 is rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Malloy (US 20070067450 A1), and in view of Hastwell (US 8958318 B1), and further in view of Markos (US 20050267967 A1).
Regarding claim 27, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin, Malloy and Hastwell do not explicitly disclose wherein generating the configuration information includes creating a file including the settings to be used by the remote capture agent to generate the ephemeral event stream.
However, Markos teaches wherein generating the configuration information includes creating a file including the settings to be used by the remote capture agent to generate the ephemeral event stream. (Abstract: The plurality of events can be traced and/or monitored for 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin, Malloy and Hastwell to include above limitation. One would have been motivated to do so because a need exists for a capability that facilitates the analysis of network data received across a single interface. For example, a need exists for a capability that allows the tracing of one specific set of events for one host and the tracing of a different set of events for another host at substantially the same time. As taught by Markos, [0003].

Claim 28 is rejected under 35 U.S.C. 103 as being unpatentable over Dugatkin (US 20050021715 A1) in view of Malloy (US 20070067450 A1), and in view of Hastwell (US 8958318 B1), and further in view of Zhang (US 20120197934 A1).
Regarding claim 28, Dugatkin, Malloy and Hastwell teach the method of claim 1.
Dugatkin, Malloy and Hastwell do not explicitly disclose wherein the identifier of the network protocol is used by the remote capture agent to assemble network packets into a packet flow based on the network protocol.
However, Zhang teaches wherein the identifier of the network protocol is used by the remote capture agent to assemble network packets into a packet flow based on the network protocol. ([0045]: FIG. 2 illustrates a block diagram of at least one embodiment of indexing engine 125. Indexing engine 125 receives MD from ingestion engine 120 and breaks the data 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Dugatkin, Malloy and Hastwell to include above limitation. One would have been motivated to do so because conventional search systems are inefficient at handling real-time searches. It is desirable for an improved method for enabling searching and reporting of machine data in real time and/or non-real time. As taught by Zhang, [0006] and [0026].

Response to Arguments
Applicant's arguments, see pages 11-15, filed 12/07/2021, with respect to the rejection(s) of claim(s) 1-30 under 35 U.S.C. § 103 have been fully considered but are moot in view of new ground(s) of rejection.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZI YE whose telephone number is (571)270-1039. The examiner can normally be reached Monday - Friday, 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/ZI YE/Primary Examiner, Art Unit 2455