DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Claims 1-5, 7-10, 12-18 and 20-23 are presented for examination.

The claims and only the claims form the metes and bounds of the invention.  “Office personnel are to give claims their broadest reasonable interpretation in light of the supporting disclosure. In re Morris, 127 F.3d 1048, 1054-55, 44 USPQ2d 1023, 1027-28 (Fed. Cir. 1997).  Limitations appearing in the specification but not recited in the claim are not read into the claim.  In re Prater, 415 F.2d 1393, 1404-05, 162 USPQ 541, 550-551 (CCPA 1969)” (MPEP p 2100-8, c 2, I 45-48; p 2100-9, c 1, l 1-4).  The Examiner has full latitude to interpret each claim in the broadest reasonable sense.  The Examiner will reference prior art using terminology familiar to one of ordinary skill in the art.  Such an approach is broad in concept and can be either explicit or implicit in meaning.

Response to Arguments
 Applicant's arguments have been considered but they are moot in view of new ground(s) of rejection. However, the Examiner welcomes any suggestion(s) Applicants may have on moving prosecution forward. The Examiner’s contact information is in the Conclusion section of this office action.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for allobviousness rejections set forth in this Office action: 
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 7-10, 12, 14-18 and 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over US PGPUB 2019/0236149 by Kuruvada et al. (“Kuruvada”) in view of US PGPUB 2015/0100557 by Golod et al. (“Golod”), and further in view of 2002/0009172 by Cornog et al. (“Cornog”).

As to Claim 1, Kuruvada teaches a method, comprising:
facilitating, by a system comprising a processor via a storage component, storing data to be streamed, resulting in a stored stream (Kuruvada: at least ¶0111; “forwarder initially may receive the data as a raw data stream generated by the input source” and “forwarder may receive a data stream from a log file generated by an application server, from a stream of network data from a network device, or from any other source of data”; note: data to be streamed are stored at source(s) of data); 
creating, by the system (Kuruvada: at least ¶¶0082-0083; “networked computer system 26 comprises one or more computing devices” and “the one or more computing devices may include one or more memories that store instructions for implementing the various components described herein, one or more hardware processors configured to execute the instructions stored in the one or more memories”), at least one index segment (Kuruvada: at least ¶0172; “time-series index ( tsidx) files that are populated at index time. The tsidx files are populated at index time to facilitate searching of events, as detailed above” and “populates a tsdix file with the extracted time values”; ¶0359 further discloses “indexer can index data across many indexes, where each index can define a partition of the data. Each index can have its own directories with subdirectories that categorize buckets by stage”) for the stored stream (Kuruvada: at least ¶0111; raw data stream generated by the input source” and “forwarder may receive a data stream from a log file generated by an application server, from a stream of network data from a network device, or from any other source of data”; ¶0119 further discloses “indexer associates with each event one or more metadata fields including a field containing the timestamp (in some embodiments, a timestamp may be included in the metadata fields) determined for the event”); and
creating, for an event in the stream, an index file in one of the at least one index segment, to map to the event (Kuruvada: at least ¶0059; “each event 1 through K can be associated with a timestamp 1 through K that can be derived from the raw data in the respective event” and “ingested raw data is divided into segments of raw data delineated by time segments (e.g., blocks of raw data, each associated with a specific time frame)”; ¶¶0172-0173 further disclose “time-series index ( tsidx) files that are populated at index time. The tsidx files are populated at index time to facilitate searching of events, as detailed above”, “populates a tsdix file with the extracted time values” and “array of time values (e.g., timestamps) extracted from events”; ¶0177 further discloses “each "bucket" or events includes its own tsidx file”; note: ¶0111 explains that "blocks" can be "buckets”; note 2: see Kuruvada’s timestamps or time values correspond to data blocks that make up index); and
in response to a new event being appended to the stored stream (Kuruvada: at least ¶0111; “receive the data as a raw data stream generated by the input source”; Abstract explains that “data from the multiple sources comports with a variety of different data modes and may be received via the established network connections on a periodic or continuous basis for ongoing capture”; note: stream that contains continuous input of new events; new events come in with data stream), adding a new index file to the one of the at least one index segment to map to the new event (Kuruvada: at least ¶0109; “FIG. 5 depicts a flow chart illustrating an example data flow performed by data intake and query system 32” and “receiving and processing data during an input phase; an indexer is described as parsing and indexing data during parsing and indexing phases”; ¶0118 further disclose “At step 508, the indexer determines a timestamp for each event”; ¶0172 further discloses “time-series index ( tsidx) files that are populated at index time”, “a tsidx file is a self-contained file populated with data extracted at index time from events” and “the system populates a tsidx file with the extracted time values”; note: timestamps as index files that populate (are added to) index ), wherein the execution of the machine executable instructions executes at least one of: the creating of the at least one index segment, the creating of the index file, or the adding of the new index file (Kuruvada: at least ¶0118; “at step 508, the indexer determines a timestamp for each event”; ¶0172 further discloses “time-series index ( tsidx) files that are populated at index time”, “a tsidx file is a self-contained file populated with data extracted at index time from events” and “the system populates a tsidx file with the extracted time values”; note: timestamps of new events as new index files that populate (are added to) index segments).
Kuruvada does not explicitly disclose, but Golod discloses until a write lock occurs with respect to execution of machine-executable instructions, adding a new index file to the one of the at least one index segment to map to the new event (Golod: at least Fig. 4 shows 404 “populate index” until 410 when a temporary lock occurs; ¶0031 further discloses “… prior to indicating that the status of the index is complete, a lock may be placed on table column 302 in order to allow any uncommitted operations to resolve themselves”; note: populating of index (adding index entries) is not considered complete until a lock is placed (occurs)). 
It would have been obvious to one of ordinary skill in the art before the effectivefiling date of the claimed invention to incorporate Golod’s feature of until a write lock occurs with respect to execution of machine-executable instructions, adding a new index file to the one of the at least one index segment to map to the new event (Golod: at least Fig. 4, ¶0031) with Kuruvada’s method. 
The suggestion/motivation for doing so would have been to complete update of index while allowing for “uncommitted operations to resolve themselves” (Golod: at least ¶0031).
Kuruvada and Golod do not explicitly disclose, but Cornog discloses creating, by the system, at least one index segment for the stored stream after the storing of the data is completed (Cornog: at least ¶0053; “an index may be created during capture of the media data from an input source, … , or as a process performed after receiving and/or storing the interleaved data stream”).
It would have been obvious to one of ordinary skill in the art before the effectivefiling date of the claimed invention to incorporate Cornog’s feature of creating, by the system, at least one index segment for the stored stream after the storing of the data is completed (Cornog: at least ¶0053) with the method disclosed by Kuruvada and Golod. 
The suggestion/motivation for doing so would have been to provide “… an index that stores information about how to access each grouping of elements in an interleaved data stream” and “random access to each element in the interleaved data stream can be achieved” (Cornog: at least ¶0005).
As to Claim 8, Kuruvada teaches a device, comprising: a processor (Kuruvada: at least ¶¶0082-0083; “networked computer system 26 comprises one or more computing devices” and “the one or more computing devices may include one or more memories that store instructions for implementing the various components described herein, one or more hardware processors configured to execute the instructions stored in the one or more memories”), and a memory having computer-executable instructions stored thereon which, when executed by the processor (Kuruvada: at least ¶0082;  “… to execute the instructions stored in the one or more memories”), causes the device to perform actions comprising:
storing data to be streamed in a stream storage system, resulting in a stored stream (Kuruvada: at least ¶0111; “forwarder initially may receive the data as a raw data stream generated by the input source” and “forwarder may receive a data stream from a log file generated by an application server, from a stream of network data from a network device, or from any other source of data”; note: data to be streamed are stored at source(s) of data); 
creating at least one index segment (Kuruvada: at least ¶0172; “time-series index ( tsidx) files that are populated at index time. The tsidx files are populated at index time to facilitate searching of events, as detailed above” and “populates a tsdix extracted time values”; ¶0359 further discloses “indexer can index data across many indexes, where each index can define a partition of the data. Each index can have its own directories with subdirectories that categorize buckets by stage”) for the stored stream of a stream storage system (Kuruvada: at least ¶0111; “forwarder initially may receive the data as a raw data stream generated by the input source” and “forwarder may receive a data stream from a log file generated by an application server, from a stream of network data from a network device, or from any other source of data”; ¶0119 further discloses “indexer associates with each event one or more metadata fields including a field containing the timestamp (in some embodiments, a timestamp may be included in the metadata fields) determined for the event”); creating, for an event in the stream, an index file in one of the at least one index segment, to map to the event (Kuruvada: at least ¶0059; “each event 1 through K can be associated with a timestamp 1 through K that can be derived from the raw data in the respective event” and “ingested raw data is divided into segments of raw data delineated by time segments (e.g., blocks of raw data, each associated with a specific time frame)”; ¶¶0172-0173 further disclose “time-series index ( tsidx) files that are populated at index time. The tsidx files are populated at index time to facilitate searching of events, as detailed above”, “populates a tsdix file with the extracted time values” and “array of time its own tsidx file”; note: ¶0111 explains that "blocks" can be "buckets”; note 2: see Fig. 6 of Applicant’s disclosure that shows index files 610 as data blocks that make up index segments; Kuruvada’s timestamps or time values correspond to data blocks that make up index); and 
in response to a new event being appended to the stored stream (Kuruvada: at least ¶0111; “receive the data as a raw data stream generated by the input source”; Abstract explains that “data from the multiple sources comports with a variety of different data modes and may be received via the established network connections on a periodic or continuous basis for ongoing capture”; note: stream that contains continuous input of new events; new events come in with data stream), adding a new index file to the one of the at least one index segment to map to the new event (Kuruvada: at least ¶0109; “FIG. 5 depicts a flow chart illustrating an example data flow performed by data intake and query system 32” and “receiving and processing data during an input phase; an indexer is described as parsing and indexing data during parsing and indexing phases”; ¶0118 further disclose “At step 508, the indexer determines a timestamp for each event”; ¶0172 further discloses “time-series index ( tsidx) files that are populated at index time”, “a tsidx file is a self-contained file populated with extracted time values”; note: timestamps as index files that populate (are added to) index segments).
Kuruvada does not explicitly disclose, but Golod discloses until a write lock index file (Golod: at least ¶0015; “index can then be populated with data from the database table”; note: database table contains metadata and data is written to index as stream of bits of 0’s and 1’s),  comprising a write lock in the computer-executable instructions, is created, adding a new index file to the one of the at least one index segment to map to the new event (Golod: at least Fig. 4 shows 404 “populate index” until 410 when a temporary lock occurs; ¶0031 further discloses “… prior to indicating that the status of the index is complete, a lock may be placed on table column 302 in order to allow any uncommitted operations to resolve themselves”; note: populating of index (adding index entries) is not considered complete until a lock is placed (occurs)). 
It would have been obvious to one of ordinary skill in the art before the effectivefiling date of the claimed invention to incorporate Golod’s feature of until a write lock index file (Golod: at least ¶0015), comprising a write lock in the computer-executable instructions, is created, adding a new index file to the one of the at least one Golod: at least Fig. 4, ¶0031) with Kuruvada’s device. 
The suggestion/motivation for doing so would have been to complete update of index while allowing for “uncommitted operations to resolve themselves” (Golod: at least ¶0031).
Kuruvada and Golod do not explicitly disclose, but Cornog discloses creating at least one index segment for the stored stream after the storing of the data to be streamed is completed (Cornog: at least ¶0053; “an index may be created during capture of the media data from an input source, … , or as a process performed after receiving and/or storing the interleaved data stream”).
It would have been obvious to one of ordinary skill in the art before the effectivefiling date of the claimed invention to incorporate Cornog’s feature of creating at least one index segment for the stored stream after the storing of the data to be streamed is completed (Cornog: at least ¶0053) with the device disclosed by Kuruvada and Golod. 
The suggestion/motivation for doing so would have been to provide “… an index that stores information about how to access each grouping of elements in an interleaved data stream” and “random access to each element in the interleaved data stream can be achieved” (Cornog: at least ¶0005).

As to Claim 15, Kuruvada teaches a computer program product stored on a non-transitory computer-readable medium and comprising machine-executable instructions (Kuruvada: at least ¶0082; “… to execute the instructions stored in the one or more memories”), the machine-executable instructions, when executed, causing a machine to perform actions comprising:
creating at least one index segment (Kuruvada: at least ¶0172; “time-series index ( tsidx) files that are populated at index time. The tsidx files are populated at index time to facilitate searching of events, as detailed above” and “populates a tsdix file with the extracted time values”; ¶0359 further discloses “indexer can index data across many indexes, where each index can define a partition of the data. Each index can have its own directories with subdirectories that categorize buckets by stage”) for a stream (Kuruvada: at least ¶0111; “forwarder initially may receive the data as a raw data stream generated by the input source” and “forwarder may receive a data stream from a log file generated by an application server, from a stream of network data from a network device, or from any other source of data”; ¶0119 further discloses “indexer associates with each event one or more metadata fields including a field containing the timestamp (in some embodiments, a timestamp may be included in the metadata fields) determined for the event”); creating, for an event in the stream, an index file in one of the at least one index segment, to map to the event Kuruvada: at least ¶0059; “each event 1 through K can be associated with a timestamp 1 through K that can be derived from the raw data in the respective event” and “ingested raw data is divided into segments of raw data delineated by time segments (e.g., blocks of raw data, each associated with a specific time frame)”; ¶¶0172-0173 further disclose “time-series index ( tsidx) files that are populated at index time. The tsidx files are populated at index time to facilitate searching of events, as detailed above”, “populates a tsdix file with the extracted time values” and “array of time values (e.g., timestamps) extracted from events”; ¶0177 further discloses “each "bucket" or events includes its own tsidx file”; note: ¶0111 explains that "blocks" can be "buckets”; note 2: see Fig. 6 of Applicant’s disclosure that shows index files 610 as data blocks that make up index segments; Kuruvada’s timestamps or time values correspond to data blocks that make up index); and
in response to a new event being appended to the stream (Kuruvada: at least ¶0111; “receive the data as a raw data stream generated by the input source”; Abstract explains that “data from the multiple sources comports with a variety of different data modes and may be received via the established network connections on a periodic or continuous basis for ongoing capture”; note: stream that contains continuous input of new events; new events come in ), adding a new index file to the one of the at least one index segment to map to the new event (Kuruvada: at least ¶0109; “FIG. 5 depicts a flow chart illustrating an example data flow performed by data intake and query system 32” and “receiving and processing data during an input phase; an indexer is described as parsing and indexing data during parsing and indexing phases”; ¶0118 further disclose “At step 508, the indexer determines a timestamp for each event”; ¶0172 further discloses “time-series index ( tsidx) files that are populated at index time”, “a tsidx file is a self-contained file populated with data extracted at index time from events” and “the system populates a tsidx file with the extracted time values”; note: timestamps as index files that populate (are added to) index segments).
Kuruvada does not explicitly disclose, but Golod discloses until a write lock index file (Golod: at least ¶0015; “index can then be populated with data from the database table”; note: database table contains metadata and data is written to index as stream of bits of 0’s and 1’s) is created, adding a new index file to the one of the at least one index segment to map to the new event (Golod: at least Fig. 4 shows 404 “populate index” until 410 when a temporary lock occurs; ¶0031 further discloses “… prior to indicating that the status of the index is complete, a lock may be placed on table column 302 in order to allow any note: populating of index (adding index entries) is not considered complete until a lock is placed (occurs)).
It would have been obvious to one of ordinary skill in the art before the effectivefiling date of the claimed invention to incorporate Golod’s feature of until a write lock index file  (Golod: at least ¶0015) is created, adding a new index file to the one of the at least one index segment to map to the new event (Golod: at least Fig. 4, ¶0031) with Kuruvada’s computer program product. 
The suggestion/motivation for doing so would have been to complete update of index while allowing for “uncommitted operations to resolve themselves” (Golod: at least ¶0031).
Kuruvada and Golod do not explicitly disclose, but Cornog discloses creating at least one index segment for said stream after a completion of data to be streamed being stored in a stream storage system as a stream that has been stored (Cornog: at least ¶0053; “an index may be created during capture of the media data from an input source, … , or as a process performed after receiving and/or storing the interleaved data stream”; note: completion of data can be completion of generation of said data).
It would have been obvious to one of ordinary skill in the art before the effectivefiling date of the claimed invention to incorporate Cornog’s feature creating at least one after a completion of data to be streamed being stored in a stream storage system as a stream that has been stored (Cornog: at least ¶0053) with the computer program product disclosed by Kuruvada and Golod. 
The suggestion/motivation for doing so would have been to provide “… an index that stores information about how to access each grouping of elements in an interleaved data stream” and “random access to each element in the interleaved data stream can be achieved” (Cornog: at least ¶0005).

As to Claim 2, Kuruvada, Golod and Cornog teach the method of claim 1, wherein the stored stream comprises a plurality of segments (Kuruvada: at least ¶0059; “ingested raw data is divided into segments of raw data delineated by time segments (e.g., blocks of raw data, each associated with a specific time frame)”; ¶0076 further discloses “system divides this raw data into blocks (e.g., buckets of data, each associated with a specific time frame, etc.) and parses the raw data to produce timestamped events. The system stores the timestamped events in a data store”), and the creating the at least one index segment comprises: creating a plurality of index segments for the plurality of segments in the stored stream (Kuruvada: at least ¶0062; “the raw data can be divided into segments and indexed by timestamps. The predetermined data items can be associated with the events indexed by timestamps”; ¶0124 also discloses “Timestamps enable a specific time range based on the timestamps associated with each event”; ¶0359 further discloses “indexes, where each index can define a partition of the data. Each index can have its own directories with subdirectories that categorize buckets”). 

As to Claim 3, Kuruvada, Golod and Cornog teach the method of claim 2, wherein each of the plurality of index segments is mapped to a respective segment of the plurality of segments in the stored stream (Kuruvada: at least ¶0062; “the raw data can be divided into segments and indexed by timestamps. The predetermined data items can be associated with the events indexed by timestamps”; ¶0124 also discloses “Timestamps enable a user to search for events based on a time range. In one embodiment, the stored events are organized into "buckets," where each bucket stores events associated with a specific time range based on the timestamps associated with each event”; ¶0359 further discloses “indexes, where each index can define a partition of the data. Each index can have its own directories with subdirectories that categorize buckets”).

As to Claim 4, Kuruvada, Golod and Cornog teach the method of claim 2, wherein the event in the stream is included in one of the plurality of segments in the stored stream (Kuruvada: at least ¶0059; “ingested raw data is divided into segments of raw data delineated by time segments (e.g., blocks of raw data, each associated with a specific time frame). The segments of raw data are indexed as timestamped events”), and the creating of the index file comprises: determining, from the plurality of index segments, an index segment mapped to the one of the plurality of segments in the stored stream (Kuruvada: at least ¶0125; “by storing events in buckets for specific time ranges, an indexer may further optimize data retrieval process by searching buckets corresponding to time ranges that are relevant to a query”; ¶0177 further discloses “in some embodiments, each "bucket" or events includes its own tsidx file and companion journal. As such, processing a search query may require scanning the tsidx files of multiple buckets to obtain partial search results that are aggregated to obtain the search results that satisfy the search query. In some embodiments, to speed up searches, bloom filters can be used to narrow the set of tsidx files that the system 32 must search to obtain search results”; ¶0362 further discloses “search buckets of a number of indexes to retrieve query results. By organizing data into one or more indexes having one or more buckets, each spanning a certain time range and organized by age, the data intake and query system can search particular buckets while avoiding the need to search particular indexes (i.e., partitions of data)”).

As to Claim 5, Kuruvada, Golod and Cornog teach the method of claim 4, wherein the creating of the index file further comprises: creating the index file in the determined index segment, to map to the event (Kuruvada: at least ¶0124; “stored events are organized into "buckets," where each bucket stores events associated with a specific time range based on the timestamps associated with each event”; ¶0172 further discloses “at index time, events can be processed to extract time values, metadata field values, user specified field values, other field values, etc. The system populates a tsidx file with the extracted time values and field values”; ¶¶0357, 0359 further disclose “tsidx or msidx and/or journal files that reside in directories referred to as buckets” and “each index can have its own directories with subdirectories that categorize buckets”).

As to Claim 7, Kuruvada, Golod and Cornog teach the method of claim 1, wherein the stored stream comprises at least one of: a metadata stream, a deleted file stream and a data stream (Kuruvada: at least ¶0059; “forwarder initially may receive the data as a raw data stream generated by the input source”).

As to Claim 9, Kuruvada, Golod and Cornog teach the device for claim 8, wherein the stored stream comprises a plurality of segments (Kuruvada: at least ¶0059; “ingested raw data is divided into segments of raw data delineated by time segments (e.g., blocks of raw data, each associated with a specific time frame)”; ¶0076 further discloses “system divides this raw data into blocks (e.g., buckets of data, each associated with a specific time frame, etc.) and parses the raw data to produce timestamped events. The system stores the timestamped events in a data store”), and the creating of the at least one index segment comprises: creating a plurality of index segments for the plurality of segments in the stored stream (Kuruvada: at least ¶0062; “the raw data can be divided into segments and indexed by timestamps. The predetermined data items can be associated with the events indexed by timestamps”; ¶0124 also discloses “Timestamps enable a user to search for events based on a time range. In one embodiment, the stored events are organized into "buckets," where each bucket stores events associated with a specific time range based on the timestamps associated with each event”; ¶0359 further discloses “indexes, where each index can define a partition of the data. Each index can have its own directories with subdirectories that categorize buckets”), wherein each of the plurality of index segments is mapped to a respective segment of the plurality of segments in the stored stream (Kuruvada: at least ¶0062; “the raw data a specific time range based on the timestamps associated with each event”; ¶0359 further discloses “indexes, where each index can define a partition of the data. Each index can have its own directories with subdirectories that categorize buckets”). 

As to Claim 10, Kuruvada, Golod and Cornog teach the device for claim 9, wherein the event in the stored stream is included in one of the plurality of segments in the stored stream (Kuruvada: at least ¶0059; “ingested raw data is divided into segments of raw data delineated by time segments (e.g., blocks of raw data, each associated with a specific time frame). The segments of raw data are indexed as timestamped events”), and the creating of the index file comprises: determining, from the plurality of index segments, an index segment mapped to the one of the plurality of segments in the stored stream (Kuruvada: at least ¶0125; “by storing events in buckets for specific time ranges, an indexer may further optimize data retrieval process by searching buckets corresponding to time ranges that are relevant to a query”; ¶0177 further discloses “in some embodiments, each "bucket" or events includes its own tsidx file and companion journal. As such, processing a search query may require scanning the tsidx files of multiple buckets to obtain partial search results that are aggregated to obtain the search results that satisfy the search query. In some embodiments, to speed up searches, bloom filters can be used to narrow the set of tsidx files that the system 32 must search to obtain search results”; ¶0362 further discloses “search buckets of a number of indexes to retrieve query results. By organizing data into one or more indexes having one or more buckets, each spanning a certain time range and organized by age, the data intake and query system can search particular buckets while avoiding the need to search other buckets” and “search several indexers having particular indexes (i.e., partitions of data)”); and creating the index file in the determined index segment, to map to the event (Kuruvada: at least ¶0124; “stored events are organized into "buckets," where each bucket stores events associated with a specific time range based on the timestamps associated with each event”; ¶0172 further discloses “at index time, events can be processed to extract time values, metadata field values, user specified field values, other field values, etc. The system populates a tsidx file with the extracted time values and field values”; ¶¶0357, 0359 further disclose “tsidx or msidx and/or journal files that reside in ).

As to Claim 12, Kuruvada, Golod and Cornog teach the device for claim 8, wherein the stored stream comprises a metadata stream (Kuruvada: at least ¶0112; “each block generated from the raw data with one or more metadata fields”; ¶0172 further discloses “a tsidx file is a self-contained file populated with data extracted at index time from events. The tsidx file can associate field values (e.g., keywords) of events with location references to the events, which are stored in a companion journal file. For example, at index time, events can be processed to extract time values, metadata field values, user specified field values, other field values, etc.”).

As to Claim 14, Kuruvada, Golod and Cornog teach the device for claim 8, wherein the stored stream comprises a data stream (Kuruvada: at least ¶0059; “forwarder initially may receive the data as a raw data stream generated by the input source”). 

As to Claim 16, Kuruvada, Golod and Cornog teach the computer program product of claim 15, wherein the stream comprises segments (Kuruvada: at least ¶0059; “ingested raw data is divided into segments of raw data blocks of raw data, each associated with a specific time frame)”; ¶0076 further discloses “system divides this raw data into blocks (e.g., buckets of data, each associated with a specific time frame, etc.) and parses the raw data to produce timestamped events. The system stores the timestamped events in a data store”), wherein the actions further comprise creating the at least one index segment comprising creating index segments for the segments in the stream (Kuruvada: at least ¶0062; “the raw data can be divided into segments and indexed by timestamps. The predetermined data items can be associated with the events indexed by timestamps”; ¶0124 also discloses “Timestamps enable a user to search for events based on a time range. In one embodiment, the stored events are organized into "buckets," where each bucket stores events associated with a specific time range based on the timestamps associated with each event”; ¶0359 further discloses “indexes, where each index can define a partition of the data. Each index can have its own directories with subdirectories that categorize buckets”), and wherein each of the index segments is mapped to a respective segment of the segments in the stream (Kuruvada: at least ¶0062; “the raw data can be divided into segments and indexed by timestamps. The predetermined data items can be associated with the events indexed by timestamps”; ¶0124 also discloses “Timestamps enable a user to search for events based on a time range. In one embodiment, the stored events are a specific time range based on the timestamps associated with each event”; ¶0359 further discloses “indexes, where each index can define a partition of the data. Each index can have its own directories with subdirectories that categorize buckets”). 

As to Claim 17, Kuruvada, Golod and Cornog teach the computer program product of claim 16, wherein the event in the stream is included in one of the segments in the stream (Kuruvada: at least ¶0059; “ingested raw data is divided into segments of raw data delineated by time segments (e.g., blocks of raw data, each associated with a specific time frame). The segments of raw data are indexed as timestamped events”), and creating the index file comprises: determining, from the index segments, an index segment mapped to the one of the segments in the stream, resulting in a determined index segment ((Kuruvada: at least ¶0125; “by storing events in buckets for specific time ranges, an indexer may further optimize data retrieval process by searching buckets corresponding to time ranges that are relevant to a query”; ¶0177 further discloses “in some embodiments, each "bucket" or events includes its own tsidx file and companion journal. As such, processing a search query may require scanning the tsidx files of multiple buckets to obtain partial search results that narrow the set of tsidx files that the system 32 must search to obtain search results”; ¶0362 further discloses “search buckets of a number of indexes to retrieve query results. By organizing data into one or more indexes having one or more buckets, each spanning a certain time range and organized by age, the data intake and query system can search particular buckets while avoiding the need to search other buckets” and “search several indexers having particular indexes (i.e., partitions of data)”). 

As to Claim 18, Kuruvada, Golod and Cornog teach the computer program product of claim 17, wherein the creating of the index file further comprises: creating the index file in the determined index segment, to map to the event (Kuruvada: at least ¶0124; “stored events are organized into "buckets," where each bucket stores events associated with a specific time range based on the timestamps associated with each event”; ¶0172 further discloses “at index time, events can be processed to extract time values, metadata field values, user specified field values, other field values, etc. The system populates a tsidx file with the extracted time values and field values”; ¶¶0357, 0359 further disclose “tsidx or msidx and/or journal files that ).

As to Claim 20, Kuruvada, Golod and Cornog teach the computer program product of claim 15, wherein the stream comprises a metadata stream (Kuruvada: at least ¶0112; “each block generated from the raw data with one or more metadata fields”; ¶0172 further discloses “a tsidx file is a self-contained file populated with data extracted at index time from events. The tsidx file can associate field values (e.g., keywords) of events with location references to the events, which are stored in a companion journal file. For example, at index time, events can be processed to extract time values, metadata field values, user specified field values, other field values, etc.”).

As to Claim 21, Kuruvada, Golod and Cornog teach the computer program product of claim 20, wherein the metadata stream stores metadata (Kuruvada: at least ¶0112; “each block generated from the raw data with one or more metadata fields”; ¶0172 further discloses “events can be processed to extract time values, metadata field values”), and wherein the metadata comprises global metadata of machine-executable instructions (Kuruvada: at least ¶0172; “tsidx files are populated at index note: extracted metadata in tsidx, for example, is global metadata that can be used globally; as ¶0175 discloses “during search time, a query may include criteria that specify field values (e.g., meta-field values) contained in the lexicon of the tsidx file. The lexicon is searched to identify the specified field values” – this means the metadata can be accessible globally to perform search/query) or cloud metadata.

Claims 13 and 22-23 are rejected under 35 U.S.C. 103 as being unpatentable over US PGPUB 2019/0236149 by Kuruvada et al. (“Kuruvada”) in view of US PGPUB 2015/0100557 by Golod et al. (“Golod”), and further in view of 2002/0009172 by Cornog et al. (“Cornog”), and further in view of US Patent 6,067,541 by Raju et al. (“Raju”).

As to Claim 13, Kuruvada, Golod and Cornog teach the device for claim 8.
Kuruvada, Golod and Cornog do not explicitly disclose, but Raju discloses wherein the stored stream comprises a deleted file stream (Raju: at least Col. 5 Lines 31-35; “as files are added, deleted or modified, NTFS appends USN records to a per-volume stream (the USN log file 62) that identify the files and describe the various modifications thereto”; Col. 6 Lines 37-40 further disclose “each notification record (e.g., 622) identifies which document has changed and thus is to be re-indexed, or, if a delete notification record, which document has been deleted”; note: a file stream that contain events including file deletion events).
It would have been obvious to one of ordinary skill in the art before the effectivefiling date of the claimed invention to incorporate Raju’s feature of wherein the stored stream comprises a deleted file stream (Raju: at least Col. 5 Lines 31-35, Col. 6 Lines 37-40) with the data streams disclosed in the device disclosed by Kuruvada, Golod and Cornog. 
The suggestion/motivation for doing so would have been to track/monitor document changes using indexes that “reflect document changes that occurred” (Raju: at least Abstract).

As to Claim 22, Kuruvada, Golod and Cornog teach the computer program product of claim 15.

Kuruvada, Golod and Cornog do not explicitly disclose, but Raju discloses wherein the stream comprises a deleted file stream (Raju: at least Col. 5 Lines 31-35; “as files are added, deleted or modified, NTFS appends USN records to a per-volume stream (the USN log file 62) that identify the files and describe the various modifications thereto”; Col. 6 Lines 37-40 further disclose “each notification record (e.g., 622) identifies which document has changed and thus is to be re-indexed, or, if a delete notification record, which document has been deleted”; note: a file stream that contain events including file deletion events).
It would have been obvious to one of ordinary skill in the art before the effectivefiling date of the claimed invention to incorporate Raju’s feature of wherein the stream comprises a deleted file stream (Raju: at least Col. 5 Lines 31-35, Col. 6 Lines 37-40) with the computer program product disclosed by Kuruvada, Golod and Cornog. 
The suggestion/motivation for doing so would have been to track/monitor document changes using indexes that “reflect document changes that occurred” (Raju: at least Abstract).

 As to Claim 23, Kuruvada, Golod, Cornog and Raju teach the computer program product of claim 22.

Kuruvada, Golod and Cornog do not explicitly disclose, but Raju discloses wherein the actions further comprise, in response to a new deleted file being added to the deleted file stream (Raju: at least Col. 5 Lines 31-33; “as files are added, deleted or modified, NTFS appends USN records to a per-volume stream (the USN log file 62)”), creating a new delete event (Raju: at least Col. 5 Lines 31-33; “… USN records … that identify the files and describe the various modifications thereto”; Col. 6 Lines 37-40 further disclose “each notification record (e.g., 622) identifies which document has changed and thus is to be re-indexed, or, if a delete notification record, which document has been deleted”; note: records the represent deletion events are created in stream “(the USN log file 62)”).
It would have been obvious to one of ordinary skill in the art before the effectivefiling date of the claimed invention to incorporate Raju’s feature of wherein the actions further comprise, in response to a new deleted file being added to the deleted file stream (Raju: at least Col. 5 Lines 31-33), creating a new delete event (Raju: at least Col. 5 Lines 31-33, Col. 6 Lines 37-40) with the computer program product disclosed by Kuruvada, Golod and Cornog. 
The suggestion/motivation for doing so would have been to track/monitor document changes using indexes that “reflect document changes that occurred” (Raju: at least Abstract).

Conclusion 
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the Examiner should be directed to Huen Wong whose telephone number is (571) 270-3426. The examiner can normally be reached on Monday - Friday (10:30AM EST - 6:30PM EST). If attempts to reach the examiner by telephone are unsuccessful, the Examiner's supervisor, Fred Ehichioya can be reached on (571) 272-4034. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300 for regular communications and after final communications. 
Information regarding the status of an application may be obtained from thePatent Application Information Retrieval (PAIR) system. Status information for
/H .W./ 
Examiner, AU 2168
23 March 2022

/MAHESH H DWIVEDI/Primary Examiner, Art Unit 2168