DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status
This instant application No. 16/771,602 has claims 1-4, 6-9, 11-12, 15-18, 20-23, 25, and 29 pending based on the preliminary amendment filed on August 18, 2020.

Priority / Filing Date
Applicant’s claim for priority of App. No. PCT/GB2018/053475 and foreign App. No. GB1720888.5 are acknowledged. The effective filing date for this instant application is December 14, 2017.

Drawings
The drawings filed on June 10, 2020 are accepted for examination purposes.




Information Disclosure Statement
As required by M.P.E.P. 609(C), the Applicant’s submission of the Information Disclosure Statement dated June 10, 2020 is acknowledged by the Examiner and the cited references have been considered in the examination of the claims now pending. As required by M.P.E.P. 609 C(2), a copy of each of the PTOL-1449s initialed and dated by the Examiner is attached to the instant Office action.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim 29 is rejected under 35 U.S.C. 101 because the claimed invention is directed to nonstatutory subject matters.

Regarding claim 29, “A computer-readable medium” is being recited for searching databases. However, in accordance with Applicant’s specification ([0117] and [0123] of PG-Pub), Applicant describes the term “computer-readable medium” to include “to be acquired…and…encoded…by delivery of the one or more modules…over a wired or wireless network” which are characteristics of a transmission medium. Applicant is noted that said transmission medium typically embodies computer readable instructions, data structures, program modules or other data in modulated data signal such as carrier wave or other transport mechanism and includes any information delivery media. As such, the claim is drawn to a form of energy and is not statutory. 

“A non-transitory computer readable medium storing instructions…”

Notes
Claim 15 recites a method for searching databases. The claim is not directed to an abstract idea because it at least recites additional elements that can integrate the claim into a practical application per step 2A of the “abstract idea” analysis (i.e., outputting an effectiveness indicator output such that a user can use the effectiveness indicator output to select a top field for use as a filter in a further search). Such steps are also not insignificant extra-solution activities and are not well-understood, routine, and conventional functions per step 2B of the “abstract idea” analysis. Further, the claimed steps are not practically implemented by a human mind, and the claim does not recite mathematical formulas or any method of organizing human activity such as a fundamental economic concept or managing interactions between people. Thus, claim 15 and its dependent claims qualify as eligible subject matters under 35 U.S.C. 101.  
	Claim 1 recites a search apparatus comprising a processor and a memory as hardware components ([0120]-[0121] of PG-Pub) for implementing a non-abstract idea of claim 15. Thus, claim 1 and its dependent claims also qualify as eligible subject matters under 35 U.S.C. 101.
Claim 29 recites a non-transitory storage medium for implementing a non-abstract idea of claim 15. Thus, claim 29 also qualifies as eligible subject matters under 35 U.S.C. 101.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-4, 6, 11-12, 15-18, 20, 25, and 29 are rejected under 35 U.S.C. 103 as being unpatentable over Yousaf et al. (Pub. No. US 2016/0180557, published on June 23, 2016; hereinafter Yousaf) in view of Neels et al. (Pub. No. US 2015/0019537, published on January 15, 2015; hereinafter Neels).

Regarding claims 1, 15, and 29, Yousaf clearly shows and discloses a method of searching a database (Abstract), a search apparatus coupled to a database, the apparatus comprising: a processor configured to execute instructions; a memory storing instructions which, when executed by the processor, cause the processor to implement the method; and a computer readable medium storing instructions which, when executed by a processor of a search apparatus coupled to a database cause the search apparatus to implement the method (Figures 1 & 7); wherein the method comprises: 
searching a database for items containing a search term, wherein items containing the search term are matched items (the data analysis system may be used by a user (also referred to herein as an “analyst”) to execute searches and/or additional enrichments against the received data item leads. Searches allow the user to access the various raw data items (including any enrichments, as mentioned above) associated with a data item lead in order to investigate a likelihood that the data item lead represents a data item of interest (for example, an indication of malicious activity, such as by malware), [0065]); 
identifying fields corresponding to attributes of the matched items (Figure 3 shows display area 322 may be used to display the individual raw data items in a tabular format, with columns corresponding to attributes of the raw data items. As used herein, the term “tabular format” is a broad term including its ordinary and customary meaning, including, but not limited to, any display format utilizing rows and columns, the rows corresponding to entities (e.g., raw data items) and column corresponding to attributes associated with the entities, or vice versa), [0111]); 
defining a range of values for each field (a histogram may be generated by sorting an attribute associated with one or more data items into one or more ranges or buckets (e.g., a time attribute may be associated with a plurality of buckets, each corresponding to a particular time period, wherein all data items having a time attribute value that falls within the same time period may be placed in the same bucket). The histogram may then be displayed in a chart or graph in which entries in the chart or graph correspond to the attribute value buckets or ranges instead of individual attribute values, [0112]); 
dividing the range of values for each field into a plurality of ranged field buckets (a histogram may be generated by sorting an attribute associated with one or more data items into one or more ranges or buckets (e.g., a time attribute may be associated with a plurality of buckets, each corresponding to a particular time period, wherein all data items having a time attribute value that falls within the same time period may be placed in the same bucket). The histogram may then be displayed in a chart or graph in which entries in the chart or graph correspond to the attribute value buckets or ranges instead of individual attribute values, [0112]. The time-based attribute used to construct the timeline is divided into a number of buckets or time frames each corresponding to a period of time (e.g., a minute, hour, or day), [0113]); 
distributing the matched items between the ranged field buckets based on attributes of the matched items that are within the range of values for each ranged field bucket (display area 324 contains a histogram corresponding to the “Serial Number” attribute, with individual entries corresponding to unique values of the attribute, [0112]); and
calculating an effectiveness value for each field based on the number of matched items in each of the ranged field buckets (The number of raw data items having each property value is counted and displayed. While the example of FIG. 3C shows a single value for each serial number, in other examples multiple raw data items may include a same attribute value. In addition, display area 324 may also contain bars, lines, or other graphical elements displaying the relative number of raw data items having a particular attribute value in comparison with other values, allowing the user to easily visualize the distribution of raw data items over different values of the attribute, [0112]).





Neels then discloses:
calculating an effectiveness value for each field based on the number of matched items in each of the ranged field buckets (the relevance score for a particular field 242 may be based on a number of unique or different values of the particular field 242 in the events 240 of the object dataset 206 and/or a number of events 240 of the object dataset 206 that include the field 242, [0063]); 
selecting one or more top fields, each top field having an effectiveness value that is greater than a predetermined effectiveness value (fields 242 are selected based on scores for the fields. For example, the field selection process 212 can include calculating a relevance score for some or all of the fields 242 of the identified set of fields (object fields 210) and selecting fields 242 based on the relevance scores, [0063]) 
providing an effectiveness indicator output which is indicative of the effectiveness of each top field such that a user can use the effectiveness indicator output to select a top field for use as a filter in a further search (A relevance score may indicate whether a field 242 may be of particular interest for use in further refining the object dataset 206 generated as a result of the initial search query 203, [0063]).
It would have been obvious to an ordinary person skilled in the art at the time of the invention was effectively filed to incorporate the teachings of Neels with the teachings of Yousaf for the purpose of identifying events matching criteria of an initial search query and a set a set of associated fields and causing display of an interactive graphical user interface that includes one or more interactive elements enabling a user to define a report for providing information relating to the matching events.
claims 2, and 16, Neels further discloses generating a further search instruction comprising the search term and a filter, wherein the filter corresponds to one or more of the top fields (an initial search query returns 100 events that correspond to log data generated by Server A, and a "time" field is one of the selected fields for the events, then, the interactive GUI can be used to specify additional filtering criteria for the time field, such as the time range of 9 am to 12 pm. If, for example, 10 of the 100 events have at time field with a value (e.g., a timestamp) corresponding to a time between 9 am and 12 pm, application of the additional filtering criteria may result in generating a report that includes the 10 events corresponding to 9 am to 12 pm (e.g., filtering out the 90 events that do not satisfy the additional filtering criteria) and/or includes aggregates or visualizations that are based on the 10 events, [0040]. A relevance score may indicate whether a field 242 may be of particular interest for use in further refining the object dataset 206 generated as a result of the initial search query 203, [0063]).  
Regarding claims 3, and 17, Neels further discloses: providing a further search instruction output to a user which is indicative of the further search instruction; and receiving an input from the user which selects the further search instruction for use in a further search (FIG. 6C illustrates an example graphical user interface 600C displaying the reporting application's "Statistics Section" (e.g., as indicated by the selected tab) according to one or more embodiments of the disclosure. The section may include a "Pivot" link 620, a "Quick Reports" link 621, and a "Search Commands" link 622. The graphical user interface 600C may correspond to a graphical user interface that is provided by a field module 300 of FIG. 3, [0096. See further all instances of Figures 6-7 and texts).  
claims 4, and 18, Neels further discloses determining an effectiveness order for each top field based on its effectiveness value, wherein the effectiveness indicator output is indicative of the effectiveness order (one or more fields 242 with a relatively high relevance score may be selected for inclusion in the set of selected fields 214, and one more fields 242 with a relatively low relevance score may not be selected and, thus, may be excluded from the set of selected fields 214. Thus, for example, the fields 242 with the top 10 highest relevance scores and/or relevance scores above a threshold score may be automatically selected for inclusion in the set of selected fields 214, [0063]).  
Regarding claims 6, and 20, Neels further discloses providing the effectiveness indicator output comprises: outputting a graphical representation for each of the top fields which is indicative of the effectiveness value of the field (if the relevance score that is calculated for the field satisfies the threshold condition, adding the field to a set of selected fields (block 512). The method 500 may include, if the relevance score that is calculated for the field does not satisfy the threshold condition, not adding the field to (or otherwise excluding the field from) a set of selected fields (block 514). For example, if the relevance score that is calculated for the field satisfies the threshold condition, then the field 214 may be added to the selected fields 214 that are to be displayed to a user via the report editor GUI (e.g., for possible use in defining a report on the events 240 of the object dataset 206). If the relevance score that is calculated for the field does not satisfy the threshold condition, however, then the field 214 may not be added to the selected fields 214, [0089]).  
claims 11, and 25, Neels further discloses calculating a further effectiveness value corresponding to an extended attribute for a field based on the number of matched items in each ranged field bucket that comprise the extended attribute (a relevance score for a particular field 242 may be calculated based on (i) the number of unique or different values that exists for the field 242 in the various events 240, (ii) the number of the events 240 that include the field 242, and/or (iii) a percentage or ratio of fields 242 that should be selected to be displayed in the report editor GUI, [0088]).
Regarding claim 12, Neels then discloses the apparatus comprises a plurality of shards which each comprise a memory which stores the same instructions as the memory of any one of the preceding claims (The graphical user interface (GUI) sub-module 350 may provide for presenting displays (e.g., rendering the described interactive GUIs for display to a user) and/or receiving user input (e.g., an initial search query, selection of fields, report definitions and/or the like). Although certain embodiments are discussed with regard to operations performed by a given module for the purpose of illustration, the functionality and/or features of one or more of the sub-modules may be combined (e.g., shared) or divided (e.g., distributed), [0069]).





Claims 7-8, and 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over Yousaf in view of Neels and further in view of Bastide et al. (Pub. No. US 2017/0331776, filed on May 10, 2016; hereinafter Bastide).

Regarding claims 7, and 21, Bastide then discloses the graphical representation is a coloured area and the method comprises: selecting the colour of each coloured area in response to the effectiveness value of the field (Once the source list is identified (e.g., by user interaction with a graphical user interface (GUI)), the source list may be analyzed. Unique fields (e.g., the name of a sender or a subject line) may be extracted based on the analysis performed and then the extracted fields may be normalized using known methods. Once the unique fields are extracted, a decomposed layout view may be generated based on the number of times specific data appeared in the source list. Furthermore, the decomposed layout may organize the layout into columns of related data (e.g., a column to represent email senders). The decomposed layout may present to the user columns with visual indicators (e.g., rectangles or other shapes) that represent fields of data that appear frequently in the source list as well as altering the characteristics of the visual indicators (e.g., color saturation of the indicator rectangle) to convey relative frequency to the user, [0030]).  
It would have been obvious to an ordinary person skilled in the art at the time of the invention was effectively filed to incorporate the teachings of Bastide with the teachings of Yousaf, as modified by Neels, for the purpose of dynamically extracting and defining a field from unstructured log data to analyze and highlight fields matching at least a defined condition.
claims 8, and 22, Bastide further discloses selecting the colour of each coloured area by modifying the saturation level of the colour of each coloured area in response to the effectiveness value of the field (The decomposed layout may present to the user columns with visual indicators (e.g., rectangles or other shapes) that represent fields of data that appear frequently in the source list as well as altering the characteristics of the visual indicators (e.g., color saturation of the indicator rectangle) to convey relative frequency to the user, [0030]).
Claims 9, and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Yousaf in view of Neels and further in view of Miller et al. (Pub. No. US 2015/0154269, published on June 4, 2015; hereinafter Miller).

Regarding claims 9, and 23, Miller then discloses modifying a transparency level of at least part of the graphical representation in response to the effectiveness value of the field (displaying an event record based on an extraction rule may include emphasizing the fields defined by the extraction rules (e.g., the extracted value) in the event record. examples of such emphasizing may include, but are not limited to, dimming, highlighting, underlining, bolding, striking through, italicizing, displaying different font, displaying different font size, displaying different color, displaying different transparency, including parenthesis around the text, and the like, [0251]).  



Miller with the teachings of Yousaf, as modified by Neels, for the purpose of automatically extracting a field and associate data values from one or more event records and visually emphasizing the field based on preset extraction criteria.

Relevant Prior Art
The following prior art are deemed relevant to the claims:
Dieberger et al. (Pub. No. US 2006/0100974) teaches a color or a hatching is assigned to records having equivalent values in the key field. Thus the finding of blocks of records, counting the number of blocks and assessing their size can be further supported. The colors or hatchings should be alternated. Record rows with the same sorted-by field value as the record in the row above are colored with the same color. Rows of records with a differing field value are displayed in a new or alternating color. 
Hinterbichler et al. (Pub. No. US 2014/0282031) teaches a log analytics graphical user interface enables a user to dynamically extract and define a field from unstructured log data. The log analytics module automatically determines a definition for a field based on log text selected by the user. A portion of each log message is highlighted to reflect what the extracted field may be to assist users with understanding if input parameters are selected the intended log data. Changes to the definition of the field, by the user, may cause further highlighting that to indicate an incomplete or erroneous field definition.
Contact Information
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to Son Hoang whose telephone number is (571) 270-1752. The Examiner can normally be reached on Monday – Friday (7:00 AM – 4:00 PM).
If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, Usmaan Saeed can be reached on (571) 272-4046. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

          /SON T HOANG/
 Primary Examiner, Art Unit 2169                                                                                                                                                                                               February 26, 2022