DETAILED ACTION
Examiner Notes
Examiner cites particular columns and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well.  It is respectfully requested that, in preparing responses, the applicant fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-10, and 13-20 are rejected under 35 U.S.C. 103 as being unpatentable over Grant (U.S. Patent 7,043,566) in view of Frampton et al. (U.S. PG PUB 2016/0246849) and Waldorf (U.S. PG PUB 2006/0156314).


receiving a plurality of events from an event source, each event comprising event data relating to a monitored system associated with the event source (see col. 2, lines 25-45, (10) The present invention relates to a system and method of monitoring and gathering events for a plurality of entities as a single entity. For example, the entities may include a plurality of members (e.g., computers, servers, clusters) collectively cooperating as a whole. In accordance with one aspect of the present invention, a system interface is provided wherein a consistent and unified representation of event information of a plurality of the entities as a whole may be obtained from any of the members associated with the entity.); 
identifying a set of data fields in the event data of the plurality of events (see col. 6, lines 19-48, (24) The user may then define and/or limit the event types by entering and/or selecting event types in the selection fields for a particular log 70b, 70c and 70d (e.g., Errors Only, Warnings Only, Errors and Warnings, etc.); 
determining one or more relationships between at least one data field in the set of data fields and at least one other data field in the set of data fields (see col. 9, lines 30-55, (36) The mapping component 116 maps different event types such as health events 106, entity events 108, operating system events 110 and any additional events 132 into a common data format in the data store 102. The data store 102 stores event data in an events common table 140 and an events specific table 142. The events common table 140 includes a unique event identifier for each event and the fields common to all event types. The events specific table 142 includes the unique event identifier for each member, the member identifier and the fields unique to that particular event type (e.g., a particular instance of that event)), and 
determining a mapping of the event data of the plurality of events to a predefined common format, based on the one or more relationships (see col. 2, lines 44-61, (11) The present invention relates to a system and method for specifying events to be logged across a plurality of machines and for standardizing those events from different types of events into a single event type. The present invention further provides for replication of the configuration throughout a plurality of machines. The system and method employ an event monitor system that combines events from multiple sources with different schemas into a single list of events having a common schema. The monitor system analyzes data from different event types and maps the data to a common event type format.).

identifying an anchor field in the set of data fields that is present in the plurality of events (see ¶ [0077] “Examples of field types that may be assigned to fields include "IP address", "MAC address", "user ID", "host ID", and so on. Each source type may indicate a different set of fields that are to be assigned field types” and ¶ [0104] “Once the context definition associated with an event is determined, context determiner 410 may determine the event context for the event using the context definition. By adding an event context to an event, the context determiner 410 is encoding knowledge and meaning into a previously static log entry. The event context for an event may be a values list or dictionary of key value pairs that includes each of the fields specified in the context definition and the field values for those fields from the event.”) and has a number of distinct values equal to or between two and ten (see ¶[00110] “As a result, context determiner may end up with three distinct event contexts for three different users of a machine. A first identity event context may indicate that a first user (e.g., Bob) performed 400 different tasks on the machine in a particular time period. A second identity event context may indicate that a second user (e.g., Carol) performed 10 different tasks on the machine in the particular time period. A third identity event context may indicate that a third user (e.g., unidentifiable user) performed a single operation on the machine in the particular time period. The single operation performed by the unidentifiable user would ordinarily be buried in the information on the hundreds of tasks that were performed by Bob and Carol. However, by representing the events as event contexts, the actions of the unidentifiable user become apparent”);
identifying one or more sub-anchor fields that are conditionally present in the plurality of events when the anchor field has a particular value (see ¶ [0203] “At block 1120, processing logic determines a first subset of the events that are associated with a context definition. At block 1130, processing logic determines fields that are specified by the context definition. At block 1135, processing logic determines, for events in the first subset, field values of one or more fields specified in the context definition. At block 1140, processing logic generates a report based on the field values of the one or more fields specified in the context definition from the events in the first subset”), wherein the conditional presence is selected from a group consisting of always, sometimes, or never (see¶ [0031] “The ECMS determines a first subset of the plurality of events associated with a first context definition. The ECMS determines fields Note: when the source type (anchor field) has a particular value, it will have a certain subset of fields, the subset of fields are dependent upon the source type, therefore, the subset of fields are conditionally present always, sometimes, or never depending on the source type).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Grant by adapting the teachings of Frampton to stores and searches events using contextual information (see ¶ [0002] of Frampton).
Frampton does not expressly disclose, however, Waldorf teaches 
based on identifying the one or more sub-anchor fields that are conditionally present sometimes in the plurality of events when the anchor field has a particular value, identifying one or more sub-sub-anchor fields that are conditionally present always, sometimes, or never in the plurality of events when the one or more sub-anchor fields have a particular value (see ¶ [0091] “For element nodes, which can have sub-nodes, one embodiment of the collaboration can be configured to permit these four functions to operate recursively by calling corresponding functions for the sub-fields, sub-elements, sub-sub-fields, sub-sub-elements, etc., until the function has been resolved to its leaf nodes as described in greater 
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Grant and Frampton by adapting the teachings of Waldorf to enhance interfacing methods.

Regarding claim 4, Grant does not expressly disclose, but Frampton teaches wherein determining one or more relationships between at least one data field in the set of data fields and at least one other data field in the set of data fields comprises: determining a condition that defines the relationship between each sub-anchor field and the anchor field in the set of data fields (see ¶ [0078] “By generating events that identify those fields that contain useful information and specifying those fields for use as index keys and/or link keys, meaningful relationships between events can be determined in queries to the event data store 165. For example, if two events both contain the same device IP address that has been assigned an IP address field type, those two events may be linked based on that host IP address during a search, and information from both of the events may be used to determine a context surrounding the two events.”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Grant by adapting the teachings of Frampton to stores and searches events using contextual information (see ¶ [0002] of Frampton).

Regarding claim 5, Grant does not expressly disclose, but Frampton teaches wherein determining one or more relationships between at least one data field in the set of data fields and at least one other data field in the set of data fields is performed iteratively until all relationships between each data field and the other data fields in the set of data fields are determined (see ¶ [0027] “This process may be repeated for each event included in the first plurality of events. The ECMS then aggregates information from the 
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Grant by adapting the teachings of Frampton to stores and searches events using contextual information (see ¶ [0002] of Frampton).

Regarding claim 6, Grant does not expressly disclose, but Frampton teaches further comprising: comparing at least one data field in the set of data fields for the plurality of events with data fields in a set of data fields for events provided by another event source to determine one or more relationships between data fields for the plurality of events and data fields for events provided by the other event source (see ¶ [0078] “By generating events that identify those fields that contain useful information and specifying those fields for use as index keys and/or link keys, meaningful relationships between events can be determined in queries to the event data store 165. For example, if two events both contain the same device IP address that has been assigned an IP address field type, those two events may be linked based on that host IP address during a search, and information from both of the events may be used to determine a context surrounding the two events.”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Grant by adapting the teachings of Frampton to stores and searches events using contextual information (see ¶ [0002] of Frampton).

Regarding claim 7, Grant does not expressly disclose, but Frampton teaches wherein the comparing determines one or more relationships selected from the group consisting of: an exact match between the names or values of fields and their relationships; a similarity between the names or values of fields and their relationships, and a cognitive match between names or values of fields and their relationships, including a match in meaning of the names or values or the phonetic or translated equivalents thereof (see ¶ [0066] “Source type determiner 308 may then compare the determined information, pattern and/or common elements to known log formats associated with source types. In one embodiment, source type determiner 308 compares the determined information, pattern and/or common 
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Grant by adapting the teachings of Frampton to stores and searches events using contextual information (see ¶ [0002] of Frampton).

Regarding claim 8, Grant does not expressly disclose, but Frampton teaches further comprising: determining one or more relationships between at least one data field in the set of data fields and at least one data field of the predefined common format (see ¶ [0078] “By generating events that identify those fields that contain useful information and specifying those fields for use as index keys and/or link keys, meaningful relationships between events can be determined in queries to the event data store 165. For example, if two events both contain the same device IP address that has been assigned an IP address field type, those two events may be linked based on that host IP address during a search, and information from both of the events may be used to determine a context surrounding the two events.”), and comparing determined relationships between at least one data field in the set of data fields and at least one data field of the predefined common format with known relationships between data fields of events provided by another event source and the data fields of the predefined common format (see ¶ [0123] “Each report section may additionally indicate a most common event context or multiple most common event contexts of that context type, a most common field value or most common field values of the event contexts having that context type, and so on. Most common event contexts may be determined, for example, by determining a number of instances of multiple different event contexts, comparing the number of instances of these event contexts, and then selecting the event context having the most instances as the most common event context. By grouping the event context information based on context type, the efficiency of user investigations is improved.”).


Regarding claim 9, Grant teaches wherein determining a mapping of the event data of the plurality of events to a predefined common format, based on the determined one or more relationships, comprises: determining a mapping rule, for mapping data of a data field to a corresponding data field of the predefined common format (see col. 10, lines 14-30,  (38) If the event has not occurred before (NO), the event monitor system 104 maps event common log data to the events common table 140 according to a common schema. The event monitor system 104 then proceeds to step 340 and maps the event specific data of the instance or occurrence to the events specific table 142 according to a common schema. Referring again to step 320, if the event monitor system 104 determines that the event has occurred before (YES), the event monitor system 104 skips step 330 and proceeds to step 340 and maps the event specific data of the instance or occurrence to the events specific table 142 according to a common schema.).

Regarding claim 10, Grant teaches further comprising: deploying a normalizer in an event management system, wherein the normalizer is configured to implement the determined mapping of the event data of the plurality of events to the predefined common format for events received by the event management system from the event source (see col, 2, lines 62-67, to col. 3, lines 1-7, (12) Each member of the entity then stores these events locally throughout the entity in a common data format or schema. An interface allows a user to specify what types, sources and severity types of events to be returned to a requestor as a single result set from a single member or a coalesced result set from the entity.).

Regarding claim 13, is an apparatus claim corresponding to method claim 1 above. Therefore, it is rejected for the same reasons. In addition, Grant teaches an apparatus comprising: an event learning system comprising a processor and memory (see Fig. 9, 421, and 422), wherein the processor is configured to perform the methods of claim 1.


Regarding claim 15, correspond with claims 3 and 4 together, and are rejected for the same reasons.

Regarding claim 20, is a product claim corresponding to method claim 1 above.  Therefore, it is rejected for the same reasons. In addition, Grant teaches a computer program product comprising a computer readable storage medium (see Fig. 9. 427) having program instructions embodied therewith, wherein the program instructions are executable by a processor.

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Grant (U.S. Patent 7,043,566)  in view of Frampton et al. (U.S. PG PUB 2016/0246849) and Waldorf (U.S. PG PUB 2006/0156314) as applied to claim 10 above, further in view of Zhang (U.S. PG PUB 2013/0110745).

Regarding claim 11, Grant, Frampton, and Waldorf do not expressly disclose, but Zhang teaches further comprising: 
determining an event model of events received from the event source, and deploying a validator in the event management system, wherein the validator is configured to validate events received by the event management system from the event source (see ¶ [0026] “Event validation module 302 receives the input events passed by filtering module 300 to confirm that the information contained in the input events is valid. For example, event validation module 302 might confirm that numeric fields in an input event record are within the specified range, that a Boolean True/False field contains either a "True" or a "False," etc. Event filtering module 300 and event validation module 302 make use of event registries 126, which contain information on known input event types, record layouts, valid field values and ranges, etc.”), 
wherein: if a received event from the event source is validated, the validator forwards the event data for the received event to the normalizer (see ¶ [0041] “For example, event processing services 122 
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Grant, Frampton, and Waldorf by adapting the teachings of Zhang to generate event processing rules (see ¶ [0001] of Zhang).

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Grant (U.S. Patent 7,043,566), Frampton et al. (U.S. PG PUB 2016/0246849), and Waldorf (U.S. PG PUB 2006/0156314) as applied to claim 10 above, further in view of Wadley et al. (U.S. PG PUB 2017/0345074).

Regarding claim 12, Grant teaches further comprising:
 receiving at least one new event from the event source (see (16) The event gathering and coalescing system requests and receives event data from the members based on a requested event type.);
 identifying new fields in the set of data fields in the event data, based on the at least one new event from the event source (see (38) If the event has not occurred before (NO), the event monitor system 104 maps event common log data to the events common table 140 according to a common schema); 
analyzing the at least one new event (see (11) The monitor system analyzes data from different event types and maps the data to a common event type format. The configuration of which event types 
Grant, Frampton, and Waldorf do not expressly disclose but Wadley teaches to determine one or more relationships selected from the group consisting of: relationships between at least one data field and at least one other data field in the new event (see ¶ [0098] “The first set of rules may include relationships between common data fields and the data source(s) that provided the value(s) of the common data fields. That is, as discussed above in reference to FIG. 6, a common data field may include multiple values, wherein each value may be received from a different data source (such as the first data source, second data source, third data source, and fourth data source discussed above in reference to FIG. 3). The first set of rules may indicate the preliminary scores to be assigned to these values based on the data sources that provided these values.”), and relationships between at least one data field in the new event and at least one data field of the predefined common format, and 
updating the determined mapping of the event data of events from the event source to the predefined common format, based on the analysis (see ¶ [0069] “or more external sources 150, and/or the one or more user devices 162. In some examples, the contextual data sourcing module 118 may analyze the contextual data according to the rules mapping data sources to certain contextual data. For instance, the contextual data sourcing module 118 may be configured with rules mapping one or more data sources (e.g., internal sources, external sources, user devices, and the like) to certain contextual data. As such, via the rules, the contextual data sourcing module 118 may recognize that certain data sources may be more or less suitable for certain types of information.”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Grant, Frampton, and Waldorf by adapting the teachings of Wadley to collect and analyze contextual data from a plurality of data sources (see ¶ [0004] of Wadley).

Response to Arguments
Applicant's arguments filed 3/4/2021 have been fully considered but they are not persuasive. Applicants argue that Frampton does not disclose the claim limitations, specifically, Frampton does not disclose one or more subfields and a conditional presence as conditionally present always, sometimes or never, and arguing that Frampton is deducing a conditional presence but does not teach it. 

Examiner disagrees. Examiner is not deducing a conditional presence. Frampton teaches a sub-anchor field with a conditional presence. Frampton teaches
anchor field (see ¶ [0148] source type with fields and field types)
a sub-anchor field (see ¶ [0181] “identified subset of fields”) 
a conditional presence always, sometimes or never of the sub-anchor field when the anchor field has a particular value (see ¶ [0182] “At block 850, processing logic determines a field type of each of the identified fields in the subset. The field types to be assigned to the fields in the subset are identified in the source type. Accordingly, the source type may be used to determine the field types to assign to those fields. At block 855, processing logic assigns the determined field types to the fields in the subset.” See ¶ [0077] “Each source type may indicate a different set of fields that are to be assigned field types. At any time, the source type may be updated to modify the fields that are to be assigned field types, and therefore to modify the fields that will be used as index keys and/or link keys.”)
Frampton teaches the claim limitation “identifying one or more conditionally present sub-anchor fields in the plurality of events when the anchor field has a particular value”  because Frampton teaches having a particular subset of fields depending on the source type, that is what makes it conditional depending on the value of the anchor field. Therefore, the subset of fields is a conditional subset of fields because not all fields will be present at all times, only the fields associated with the source type will be present. In other words, when the source type has a particular value, it will have a certain subset of fields. These subsets of fields are dependent upon the source type, thus the subset of fields are conditionally present always, sometimes or never depending on the particular source type.
Support for Amendments and Newly Added Claims
Applicants are respectfully requested, in the event of an amendment to claims or submission of new claims, that such claims and their limitations be directly mapped to the specification, which provides support for the subject matter.  This will assist in expediting compact prosecution.  MPEP 714.02 recites: “Applicant should also specifically point out the support for any amendments made to the disclosure. See MPEP § 2163.06. An amendment which does not comply with the provisions of 37 CFR 1.121(b), (c), (d), and (h) may be held not fully responsive. See MPEP § 714.”  Amendments not pointing to specific support in the disclosure may be deemed as not complying with provisions of 37 C.F.R.  1.121(b), (c), (d), and (h) and therefore held not fully responsive.  Generic statements such as “Applicants believe no new matter has been introduced” may be deemed insufficient.
Interview Requests
In accordance with 37 CFR 1.133(a)(3), requests for interview must be made in advance.  Interview requests are to be made by telephone (571-270-7848) call or FAX (571-270-8848).  Applicants must provide a detailed agenda as to what will be discussed (generic statement such as “discuss §102 rejection” or “discuss rejections of claims 1-3” may be denied interview).  The detail agenda along with any proposed amendments is to be written on a PTOL-413A or a custom form and should be faxed (or emailed, subject to MPEP 713.01.I / MPEP 502.03) to the Examiner at least 5 business days prior to the scheduled interview. Interview requests submitted within amendments may be denied because the Examiner was not notified, in advance, of the Applicant Initiated Interview Request and due to time constraints may not be able to review the interview request to prior to the mailing of the next Office Action.
Conclusion                                                                                                                                                                                   
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARINA YUN whose telephone number is (571)270-7848. The examiner can normally be reached Mon, Weds, Thurs, 9-4.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to call.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Dennis Chow can be reached on (571) 272-7767. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

Carina Yun
Patent Examiner
Art Unit 2194



/CARINA YUN/Examiner, Art Unit 2194                                                                                                                                                                                                        

/DOON Y CHOW/Supervisory Patent Examiner, Art Unit 2194