Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/06/2021 has been entered.

The instant application having Application No. 15/360,449 has claims 1-24 pending in the application filed on 11/23/2016, there are 5 independent claims and 19 dependent claims, all of which are ready for examination by the examiner.  The applicant added a new claims 23 and 24 (dated 12/06/2021)

Acknowledgement Of References Cited By Applicant

As required by M.P.E.P.  609(C), the applicant’s submissions of the Information Disclosure Statements dated February 24, 2022 is acknowledged by the examiner and the cited references have been considered in the examination of the claims now pending. As required by M.P.E.P 609 C (2), a copy of the PTOL-1449 initialed and dated by the examiner is attached to the instant office action.

Response to Arguments

This Office Action is in response to applicant’s communication filed on December 6, 2021 in response to PTO Office Action dated June 4, 2021.  The Applicant’s remarks and amendments to the claims and/or specification were considered with the results that follow.


35 USC § 103 Rejection of claims 1-22

Applicant's arguments filed on 12/06/2021 with respect to the claims 1-22 have been fully considered but are moot because the arguments do not apply to any of the references being used in the current rejection.



Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1-24 are rejected under 35 U.S.C. 103 as being unpatentable over Govrin et al (US PGPUB 20030084053) in view of Bishop et al (US PGPUB 20170083368) and in further view of Xu et al (US PGPUB 20190317947). 

As per claim 1:
Govrin teaches:
“A method performed by a data processing system for processing data, the method including” Paragraph [0010] (method for analyzing and effectively distributing large quantities of data includes)) 
“intermittently receiving data from one or more data streams, the received data including data records” (Paragraph [0073] (listeners are system specific adaptors that capture external messages from different messaging systems, such as email, chat, instant messaging, online transactions and other data streams)) 
“for at least one detected data record, wherein the at least one detected data record is associated with a particular time” (Paragraph [0021] and Paragraph [0105]) (process huge quantities of records from any external data source (which includes streams), identifying those that may be relevant and discarding the others by using rules defined by users (which may include associated with particular time)))
 “processing the modified data record by applying one or more rules to the modified data record” Paragraph [0095] and Paragraph [0098] (providing a means for analyzing massive volumes of data and allowing active intelligence to incorporate data that has been drawn from the system in its rules))
“based on applying the rules, writing to memory one or more instructions for initiation of one or more actions” (Paragraph [0082] (the solver component utilizes the data stored in the MDPDS to solve the user-defined rules in the most efficient way))
“and publishing the one or more instructions to a queue for initiation of the one or more actions” (Paragraph [0100]  (delivers actionable messages directly to the most suitable recipients, based on the defined rules)).
Govrin does not EXPLICITLY discloses: as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier; searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier; accessing near real-time data from a field in the at least one detected data record that is received from the one or more data streams and associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation; and generating a near real-time aggregation by combining the near real-time data included in the accessed field of the at least one detected data record that is received from the one or more data streams and that is keyed based on the same particular identifier; with the  pre-computed aggregation of data that is keyed based on the same particular identifier to produce the near real-time aggregation keyed based on the same particular identifier with the aggregation being near real-time with regard to when the data in the one or more streams is received; populating a data record that is keyed based on the same particular  identifier with the near real-time aggregation and data received from the one or more data streams, by: inserting the near real-time aggregation keyed based on the same particular identifier into a field of the data record, and inserting data from at least one of the data records received from the one or more data streams and keyed based on the same particular identifier into another field of the data record.
However, in an analogous art, Bishop teaches:
“as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier” (Paragraph [0046] and Paragraph [0053] (a task sequence involves collection of data from a large number of entities and subsequent processing of the collected data which is received as continuous near real-time (NRT) data streams and the grouping is on a tuple-by-type basis where each pipeline is identified by a unique pipeline identifier (ID)))
“accessing near real-time data from a field in the at least one detected data record that is received from the one or more data streams and associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation” (Paragraph [0054] and Paragraph [0055] (a batch is defined as an assemblage of event tuples partitioned on a time-slice basis and/or a batch-size basis and sequentially queued in a pipeline where a time-slice based definition includes partitioning at least one incoming near real-time (NRT) data stream by its most recently received portion within a time window and a batch is transactional boundary of stream processing within a container, such a transaction is considered to be complete when a batch is completely processed))
“and generating a near real-time aggregation by combining the near real-time data included in the accessed field of the at least one detected data record that is received from the one or more data streams and that is keyed based on the same particular identifier with the  pre-computed aggregation of data that is keyed based on the same particular identifier to produce the near real-time aggregation keyed based on the same particular identifier with the aggregation being near real-time with regard to when the data in the one or more streams is received” (Paragraph [0054], Paragraph [0061] and Paragraph [0062] (the “Internet of Things (IoT) platform” is defined as an integrated environment that collects and processes a high volume of data from a plurality of entities in real-time or near real-time, often with low latency where processing logic can be applied to the data to generate real-time or near real-time analytics that utilizes computation over a combination of stream mode and batch mode to periodically generate aggregates using batch and offline analytics and substitute results from real-time data streams to generate real-time analytics, performing computational tasks like data mining, machine learning, statistical processing, predictive analytics, time series analysis, rule based processing, complex event processing, pattern detection, correlation and more and where a combination of time-size basis and batch-size basis is used to define batches, each batch in a pipeline is identified by a unique batch identifier (ID)))
 “populating a data record that is keyed based on the same particular  identifier with the near real-time aggregation and data received from the one or more data streams, by: inserting the near real-time aggregation keyed based on the same particular identifier into a field of the data record, and inserting data from at least one of the data records received from the one or more data streams and keyed based on the same particular identifier into another field of the data record” (Paragraph [0054], Paragraph [0118], Paragraph [0146] and Paragraph [0170] (After ingesting (populating), digesting, and applying enterprise context (real-time aggregation) to the data streams, the intelligent outputs are produced and delivered (inserted) in the right form, at the right time, and to the right channel, worker nodes in the worker tier can perform tasks like aggregations, functions and stream groupings and commits to external persistence layers like rich contextual data store, application(s) can include a data manager component that can be configured to insert, delete, and/or update the records stored in the data store and each batch in a pipeline is identified by a unique batch identifier (ID))).
It would have been obvious to one of ordinary skill in the art before the effective filing date to take the teachings of Bishop and apply them on teachings of Govrin for “as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier; accessing near real-time data from a field in the at least one detected data record that is received from the one or more data streams and associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation; and generating a near real-time aggregation by combining the near real-time data included in the accessed field of the at least one detected data record that is received from the one or more data streams and that is keyed based on the same particular identifier; with the  pre-computed aggregation of data that is keyed based on the same particular identifier to produce the near real-time aggregation keyed based on the same particular identifier with the aggregation being near real-time with regard to when the data in the one or more streams is received; populating a data record that is keyed based on the same particular identifier with the near real-time aggregation and data received from the one or more data streams, by: inserting the near real-time aggregation keyed based on the same particular identifier into a field of the data record, and inserting data from at least one of the data records received from the one or more data streams and keyed based on the same particular identifier into another field of the data record”.  One would be motivated as the worker nodes in the worker tier perform various stream processing jobs such as simple data transformation to complex operations such as multi-stream joins and can perform tasks like aggregations, functions and stream groupings (Bishop, Paragraph [0146]).
Govrin and Bishop do not EXPLICITLY teach: searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier.
However, in an analogous art, Xu teaches:
“searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams” (Paragraph [0069], Paragraph [0183] and Paragraph [0252] (the system enables users to run queries against the stored data of the data streams to  retrieve events that meet criteria specified in a query, such as containing certain keywords or having specific values in defined fields and summary (aggregation) data may be created and used to improve the ability of indexers to process search queries where the summary (aggregation) data may store one or more "pre-computed" results for a search query))
“wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period” (Paragraph [0171], Paragraph [0243], and Paragraph [0244] (to perform a search against data stored by cluster, a search head may first obtain information from master node, including a list of active indexers of the cluster and a generation identifier where each indexer receiving the search query may use the generation identifier to identify which generation mapping to consult when searching the buckets stored by the indexer and system stores events in buckets covering specific time ranges or periods, then producing the summaries that can save the work involved in running the query for previous time periods (prior time periods)))
“with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams” (Paragraph [0170], Paragraph [0171] and Paragraph [0243] (where the query seeks events meeting specified criteria, a summary for the time period includes only events within the time period that meet the specified criteria, storing events in buckets covering specific time ranges, then the summaries can be generated on a bucket-by-bucket basis, producing intermediate summaries can save the work involved in running the query for previous time periods and a generation identifier identifies a particular generation mapping which indicates, for each grouped subset of data stored by indexers of the cluster))
“and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier” (Paragraph [0171] and Paragraph [0243] (during each scheduled report update, the query engine determines whether intermediate summaries have been generated covering portions of the time period covered by the report update, producing intermediate summaries can save the work involved in running the query for previous time periods, so advantageously only the newer event data needs to be processed while generating an updated report and a generation identifier identifies a particular generation mapping which indicates, for each grouped subset of data stored by indexers of the cluster)).
It would have been obvious to one of ordinary skill in the art before the effective filing date to take the teachings of Xu and apply them on teachings of Govrin and Bishop for “searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier”.  One would be motivated as the report generator allows the user to specify one or more fields within events,  apply statistical analysis on values extracted from the specified one or more fields and may aggregate search results across sets of events) (Xu, Paragraph [0147]).

As per claim 2:
Govrin, Bishop and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“wherein inserting the data from the at least one of the data records into the other field of the data record includes” (Paragraph [0046] (the combination of date warehouse repositories and external data sources results in the creation of active Intelligence as a layer))
“inserting data from the at least one detected data record into the other field of the data record modified by inserting” (Paragraph [0080] (parameters are business accumulators that are wrapped in a multi-dimensional indexing cover and hold logic that describes the way they are updated and the type of data they hold)).

As per claim 3:
Govrin, Bishop and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“collecting a plurality of data records” (Paragraph [0021] (process huge quantities of records per second from any external data source)).
“and augmenting the first data record with the combined data for the at least one detected data record” (Paragraph [0046] (the combination of date warehouse repositories and external data sources results in the creation of active Intelligence is positioned as a layer between the organization's data sources)).
Also Bishop further teaches:
“publishing the data records to a single queue” (Paragraph [0053] (a near real-time (NRT) data stream is queued to a task sequence in a single pipeline))
“from the queue, detecting the two or more data records” (Paragraph [0054] (a batch is defined as an assemblage of event tuples partitioned on a time-slice basis and/or a batch-size basis and sequentially queued in a pipeline))
“joining together the detected two or more data records into the first data record, with the detected two or more data records including data representing different types of events” (Paragraph [0144] and Paragraph [0147] (a batch is defined as an assemblage of event tuples, also referred to as “units of work”, partitioned on a time-slice basis and/or a batch-size basis and a tuple is a set of values for a pre-defined set of fields)).

As per claim 4:
Govrin, Bishop and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“wherein the prior time period is a time prior to performance of the detecting” (Paragraph [0011] (historical data can be thereby be utilized to enable vastly improved decision-making opportunities for current events)).

As per claim 5:
Govrin, Bishop and Xu teach the method as specified in the parent claim 3 above. 
Govrin further teaches:
“attaching, to the first data record, customer profile data for a customer associated with a particular event included in the first data record” (Paragraph [0020] (a set of rules that define a way to detect fraud in a financial transaction system, based on parameters such as client profiles))
“and attaching to the first data record an appendable lookup file (ALF) with a historical aggregation for the particular event” (Paragraph [0073] (loaders are system specific drivers that load static data from external sources such as relational databases and flat files on request)).

As per claim 6:
Govrin, Bishop and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“further including: adding incremental data to the historical aggregation, with the incremental data including data from a time at which the historical aggregation was computed to a near present time that is within a minute of the present time” (Paragraph [0038], Paragraph [0046] and Paragraph [0054] (the combination of date warehouse repositories and extrenal data sources results in the creation of active Intelligence in real-time where real-time refers to the rapid execution of requests with no significant delay))
“and producing, based on the adding of the incremental data, a near real-time aggregation of the data” (Paragraph [0047] (managing the execution of real-time analytical models within operational processes leveraging data from a variety of transactional and historical sources to guide the optimal execution of that process)).

As per claim 7:
Govrin, Bishop and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“receiving, from a client device of a user, data representing one or more rules defining an application” (Paragraph [0096] (users can easily interface with the GUI, to input sophisticated decision rules))
“generating, based on the received data, the one or more rules that define the application” (Paragraph [0020] (analytical models are user-defined rules that require a high level of complex analytics capabilities in order to be executed))
“and implementing, based on executing the one or more rules, the application against the one or more data streams intermittently received” (Paragraph [0016] (a solver component for filtering the data from the MDPDS according to the user defined rules))

As per claim 8:
Govrin, Bishop and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“wherein receiving the one or more data streams includes: receiving a first data stream with data representing a first type of event” (Paragraph [0073] and Paragraph [0075] (listeners are system specific adaptors that capture external messages from different data streams and data representing for each event))
“and receiving a second data stream with data representing a second type of event” (Paragraph [0122] (identifies the occurrence of business events according to set business rules in order to understand whether the transaction or event that took place is in fact significant)).

As per claim 9:
Govrin, Bishop and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“further including executing one or more applications against a published action trigger included in the one or more instructions” (Paragraph [0089] and Paragraph [0125] (certain operational data indicates the occurrence of a monitored event or certain thresholds are exceeded , the platform triggers the distribution functions, sending the message to the most relevant individual/s or system/s)).

As per claim 10:
Govrin, Bishop and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“wherein a data record includes an event” (Paragraph [0038] (collect, filter and analyze huge quantities of data, by defining rules to identify key events)).

As per claim 11:
Govrin, Bishop and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“wherein searching includes searching in a data repository or searching in-memory” (Paragraph [0006] (data warehouse systems are central repositories for all or significant parts of the data that an enterprise's various business systems collect and data from data warehouse repositories is searched by user queries)).

As per claim 12:
Govrin teaches:
“A data processing system for processing data including” Paragraph [0010] (system for analyzing and effectively distributing large quantities of data includes)) 
 “intermittently receiving data from one or more data streams, the received data including data records” (Paragraph [0073] (loaders are system specific drivers that load static data from external sources consisting of data records and listeners are system specific adaptors that capture external messages from different messaging systems, such as email, chat, instant messaging, online transactions and other data streams)) 
“for at least one detected data record, wherein the at least one detected data record is associated with a particular time” (Paragraph [0021] and Paragraph [0105]) (process huge quantities of records from any external data source (which includes streams), identifying those that may be relevant and discarding the others by using rules defined by users (which may include associated with particular time) 
“processing the modified data record by applying one or more rules to the modified data record” (Paragraph [0095] and Paragraph [0098] (providing a means for analyzing massive volumes of data and allowing active intelligence to incorporate data that has been drawn from the system in its rules))
“based on applying the rules, writing to memory one or more instructions for initiation of one or more actions” (Paragraph [0082] (the solver component utilizes the data stored in the MDPDS to solve the user-defined rules in the most efficient way))
“and publishing the one or more instructions to a queue for initiation of the one or more actions” (Paragraph [0100] (delivers actionable messages directly to the most suitable recipients, based on the defined rules)).
Govrin does not EXPLICITLY teaches: “one or more processors; and one or more machine-readable hardware storage devices storing instructions that are executable to cause the one or more processors to perform operations including; as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier; searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier; accessing near real-time data from a field in the at least one detected data record received from the one or more data streams and associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation; and generating a near real-time aggregation by combining the near real-time data included in the accessed field of the at least one detected data record that is received from the one or more data streams and that is keyed based on the same particular identifier; with the  pre-computed aggregation of data that is keyed based on the same particular identifier to produce the near real-time aggregation keyed based on the same particular identifier with the aggregation being near real-time with regard to when the data in the one or more streams is received; populating a data record that is keyed based on the same particular  identifier with the near real-time aggregation and data received from the one or more data streams, by: inserting the near real-time aggregation keyed based on the same particular identifier into a field of the data record, and inserting data from at least one of the data records received from the one or more data streams and keyed based on the same particular identifier into another field of the data record.
However, in an analogous art, Bishop teaches:
“one or more processors” (Paragraph [0202] (the processor may be implemented using any suitable processing system, such as one or more processors))
“and one or more machine-readable hardware storage devices storing instructions that are executable to cause the one or more processors to perform operations including” (Paragraph [0202] (the memory represents any non-transitory short or long term storage or other computer-readable media capable of storing programming instructions for execution on the processor))
“as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier” (Paragraph [0046] and Paragraph [0053] (a task sequence involves collection of data from a large number of entities and subsequent processing of the collected data which is received as continuous near real-time (NRT) data streams and the grouping is on a tuple-by-type basis where each pipeline is identified by a unique pipeline identifier (ID)))
“accessing near real-time data from a field in the at least one detected data record received from the one or more data streams and associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation” (Paragraph [0054] and Paragraph [0055] (a batch is defined as an assemblage of event tuples partitioned on a time-slice basis and/or a batch-size basis and sequentially queued in a pipeline where a time-slice based definition includes partitioning at least one incoming near real-time (NRT) data stream by its most recently received portion within a time window and a batch is transactional boundary of stream processing within a container, such a transaction is considered to be complete when a batch is completely processed))
“and generating a near real-time aggregation by combining the near real-time data included in the accessed field of the at least one detected data record that is received from the one or more data streams and that is keyed based on the same particular identifier with the  pre-computed aggregation of data that is keyed based on the same particular identifier to produce the near real-time aggregation keyed based on the same particular identifier with the aggregation being near real-time with regard to when the data in the one or more streams is received” (Paragraph [0054], Paragraph [0061] and Paragraph [0062] (the “Internet of Things (IoT) platform” is defined as an integrated environment that collects and processes a high volume of data from a plurality of entities in real-time or near real-time, often with low latency where processing logic can be applied to the data to generate real-time or near real-time analytics that utilizes computation over a combination of stream mode and batch mode to periodically generate aggregates using batch and offline analytics and substitute results from real-time data streams to generate real-time analytics, performing computational tasks like data mining, machine learning, statistical processing, predictive analytics, time series analysis, rule based processing, complex event processing, pattern detection, correlation and more and where a combination of time-size basis and batch-size basis is used to define batches, each batch in a pipeline is identified by a unique batch identifier (ID)))
 “populating a data record that is keyed based on the same particular  identifier with the near real-time aggregation and data received from the one or more data streams, by: inserting the near real-time aggregation keyed based on the same particular identifier into a field of the data record, and inserting data from at least one of the data records received from the one or more data streams and keyed based on the same particular identifier into another field of the data record” (Paragraph [0054], Paragraph [0118], Paragraph [0146] and Paragraph [0170] (After ingesting (populating), digesting, and applying enterprise context (real-time aggregation) to the data streams, the intelligent outputs are produced and delivered (inserted) in the right form, at the right time, and to the right channel, worker nodes in the worker tier can perform tasks like aggregations, functions and stream groupings and commits to external persistence layers like rich contextual data store, application(s) can include a data manager component that can be configured to insert, delete, and/or update the records stored in the data store and each batch in a pipeline is identified by a unique batch identifier (ID))).
It would have been obvious to one of ordinary skill in the art before the effective filing date to take the teachings of Bishop and apply them on teachings of Govrin for “one or more processors; and one or more machine-readable hardware storage devices storing instructions that are executable to cause the one or more processors to perform operations including; as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier; accessing near real-time data from a field in the at least one detected data record received from the one or more data streams and associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation; and generating a near real-time aggregation by combining the near real-time data included in the accessed field of the at least one detected data record that is received from the one or more data streams and that is keyed based on the same particular identifier; with the  pre-computed aggregation of data that is keyed based on the same particular identifier to produce the near real-time aggregation keyed based on the same particular identifier with the aggregation being near real-time with regard to when the data in the one or more streams is received; populating a data record that is keyed based on the same particular  identifier with the near real-time aggregation and data received from the one or more data streams, by: inserting the near real-time aggregation keyed based on the same particular identifier into a field of the data record, and inserting data from at least one of the data records received from the one or more data streams and keyed based on the same particular identifier into another field of the data record”.  One would be motivated as the worker nodes in the worker tier perform various stream processing jobs such as simple data transformation to complex operations such as multi-stream joins and can perform tasks like aggregations, functions and stream groupings (Bishop, Paragraph [0146]).
Govrin and Bishop do not EXPLICITLY teach: searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier.
However, in an analogous art, Xu teaches:
“searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams” (Paragraph [0069], Paragraph [0183] and Paragraph [0252] (the system enables users to run queries against the stored data of the data streams to  retrieve events that meet criteria specified in a query, such as containing certain keywords or having specific values in defined fields and summary (aggregation) data may be created and used to improve the ability of indexers to process search queries where the summary (aggregation) data may store one or more "pre-computed" results for a search query))
“wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period” (Paragraph [0171], Paragraph [0243], and Paragraph [0244] (to perform a search against data stored by cluster, a search head may first obtain information from master node, including a list of active indexers of the cluster and a generation identifier where each indexer receiving the search query may use the generation identifier to identify which generation mapping to consult when searching the buckets stored by the indexer and system stores events in buckets covering specific time ranges or periods, then producing the summaries that can save the work involved in running the query for previous time periods (prior time periods)))
“with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams” (Paragraph [0170], Paragraph [0171] and Paragraph [0243] (where the query seeks events meeting specified criteria, a summary for the time period includes only events within the time period that meet the specified criteria, storing events in buckets covering specific time ranges, then the summaries can be generated on a bucket-by-bucket basis, producing intermediate summaries can save the work involved in running the query for previous time periods and a generation identifier identifies a particular generation mapping which indicates, for each grouped subset of data stored by indexers of the cluster))
“and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier” (Paragraph [0171] and Paragraph [0243] (during each scheduled report update, the query engine determines whether intermediate summaries have been generated covering portions of the time period covered by the report update, producing intermediate summaries can save the work involved in running the query for previous time periods, so advantageously only the newer event data needs to be processed while generating an updated report and a generation identifier identifies a particular generation mapping which indicates, for each grouped subset of data stored by indexers of the cluster)).
It would have been obvious to one of ordinary skill in the art before the effective filing date to take the teachings of Xu and apply them on teachings of Govrin and Bishop for “searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier”.  One would be motivated as the report generator allows the user to specify one or more fields within events,  apply statistical analysis on values extracted from the specified one or more fields and may aggregate search results across sets of events) (Xu, Paragraph [0147]).

As per claim 13, the claim is rejected based upon the same rationale given for the parent claim 12 and the claim 2 above.

As per claim 14, the claim is rejected based upon the same rationale given for the parent claim 12 and the claim 3 above.

As per claim 15, the claim is rejected based upon the same rationale given for the parent claim 12 and the claim 4 above.

As per claim 16, the claim is rejected based upon the same rationale given for the parent claim 12 and the claim 5 above.

As per claim 17, the claim is rejected based upon the same rationale given for the parent claim 12 and the claim 6 above.

As per claim 18:
Govrin teaches:
 “intermittently receiving data from one or more data streams, the received data including data records” (Paragraph [0073] (loaders are system specific drivers that load static data from external sources consisting of data records and listeners are system specific adaptors that capture external messages from different messaging systems, such as email, chat, instant messaging, online transactions and other data streams)) 
“for at least one detected data record, wherein the at least one detected data record is associated with a particular time” (Paragraph [0021] and Paragraph [0105]) (process huge quantities of records from any external data source (which includes streams), identifying those that may be relevant and discarding the others by using rules defined by users (which may include associated with particular time)))
 “processing the modified data record by applying one or more rules to the modified data record” (Paragraph [0095] and Paragraph [0098] (providing a means for analyzing massive volumes of data and allowing active intelligence to incorporate data that has been drawn from the system in its rules))
“based on applying the rules, writing to memory one or more instructions for initiation of one or more actions” (Paragraph [0082] (the solver component utilizes the data stored in the MDPDS to solve the user-defined rules in the most efficient way))
“and publishing the one or more instructions to a queue for initiation of the one or more actions” (Paragraph [0100] (delivers actionable messages directly to the most suitable recipients, based on the defined rules)).
Govrin does not EXPLICITLY teaches: “one or more machine-readable hardware storage devices storing instructions that are executable to cause the one or more processors to perform operations including; as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier; searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier; accessing near real-time data from a field in the at least one detected data record received from the one or more data streams and associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation; and generating a near real-time aggregation by combining the near real-time data included in the accessed field of the at least one detected data record that is received from the one or more data streams and that is keyed based on the same particular identifier; with the  pre-computed aggregation of data that is keyed based on the same particular identifier to produce the near real-time aggregation keyed based on the same particular identifier with the aggregation being near real-time with regard to when the data in the one or more streams is received; populating a data record that is keyed based on the same particular  identifier with the near real-time aggregation and data received from the one or more data streams, by: inserting the near real-time aggregation keyed based on the same particular identifier into a field of the data record, and inserting data from at least one of the data records received from the one or more data streams and keyed based on the same particular identifier into another field of the data record.
However, in an analogous art, Bishop teaches:
 “one or more machine-readable hardware storage devices storing instructions that are executable to cause the one or more processors to perform operations including” (Paragraph [0202] (the memory represents any non-transitory short or long term storage or other computer-readable media capable of storing programming instructions for execution on the processor))
“as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier” (Paragraph [0046] and Paragraph [0053] (a task sequence involves collection of data from a large number of entities and subsequent processing of the collected data which is received as continuous near real-time (NRT) data streams and the grouping is on a tuple-by-type basis where each pipeline is identified by a unique pipeline identifier (ID)))
“accessing near real-time data from a field in the at least one detected data record received from the one or more data streams and associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation” (Paragraph [0054] and Paragraph [0055] (a batch is defined as an assemblage of event tuples partitioned on a time-slice basis and/or a batch-size basis and sequentially queued in a pipeline where a time-slice based definition includes partitioning at least one incoming near real-time (NRT) data stream by its most recently received portion within a time window and a batch is transactional boundary of stream processing within a container, such a transaction is considered to be complete when a batch is completely processed))
“and generating a near real-time aggregation by combining the near real-time data included in the accessed field of the at least one detected data record that is received from the one or more data streams and that is keyed based on the same particular identifier with the  pre-computed aggregation of data that is keyed based on the same particular identifier to produce the near real-time aggregation keyed based on the same particular identifier with the aggregation being near real-time with regard to when the data in the one or more streams is received” (Paragraph [0054], Paragraph [0061] and Paragraph [0062] (the “Internet of Things (IoT) platform” is defined as an integrated environment that collects and processes a high volume of data from a plurality of entities in real-time or near real-time, often with low latency where processing logic can be applied to the data to generate real-time or near real-time analytics that utilizes computation over a combination of stream mode and batch mode to periodically generate aggregates using batch and offline analytics and substitute results from real-time data streams to generate real-time analytics, performing computational tasks like data mining, machine learning, statistical processing, predictive analytics, time series analysis, rule based processing, complex event processing, pattern detection, correlation and more and where a combination of time-size basis and batch-size basis is used to define batches, each batch in a pipeline is identified by a unique batch identifier (ID)))
 “populating a data record that is keyed based on the same particular  identifier with the near real-time aggregation and data received from the one or more data streams, by: inserting the near real-time aggregation keyed based on the same particular identifier into a field of the data record, and inserting data from at least one of the data records received from the one or more data streams and keyed based on the same particular identifier into another field of the data record” (Paragraph [0054], Paragraph [0118], Paragraph [0146] and Paragraph [0170] (After ingesting (populating), digesting, and applying enterprise context (real-time aggregation) to the data streams, the intelligent outputs are produced and delivered (inserted) in the right form, at the right time, and to the right channel, worker nodes in the worker tier can perform tasks like aggregations, functions and stream groupings and commits to external persistence layers like rich contextual data store, application(s) can include a data manager component that can be configured to insert, delete, and/or update the records stored in the data store and each batch in a pipeline is identified by a unique batch identifier (ID))).
It would have been obvious to one of ordinary skill in the art before the effective filing date to take the teachings of Bishop and apply them on teachings of Govrin for “one or more machine-readable hardware storage devices storing instructions that are executable to cause the one or more processors to perform operations including; as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier; accessing near real-time data from a field in the at least one detected data record received from the one or more data streams and associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation; and generating a near real-time aggregation by combining the near real-time data included in the accessed field of the at least one detected data record that is received from the one or more data streams and that is keyed based on the same particular identifier; with the  pre-computed aggregation of data that is keyed based on the same particular identifier to produce the near real-time aggregation keyed based on the same particular identifier with the aggregation being near real-time with regard to when the data in the one or more streams is received; populating a data record that is keyed based on the same particular  identifier with the near real-time aggregation and data received from the one or more data streams, by: inserting the near real-time aggregation keyed based on the same particular identifier into a field of the data record, and inserting data from at least one of the data records received from the one or more data streams and keyed based on the same particular identifier into another field of the data record”.  One would be motivated as the worker nodes in the worker tier perform various stream processing jobs such as simple data transformation to complex operations such as multi-stream joins and can perform tasks like aggregations, functions and stream groupings (Bishop, Paragraph [0146]).
Govrin and Bishop do not EXPLICITLY teach: searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier.
However, in an analogous art, Xu teaches:
“searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams” (Paragraph [0069], Paragraph [0183] and Paragraph [0252] (the system enables users to run queries against the stored data of the data streams to  retrieve events that meet criteria specified in a query, such as containing certain keywords or having specific values in defined fields and summary (aggregation) data may be created and used to improve the ability of indexers to process search queries where the summary (aggregation) data may store one or more "pre-computed" results for a search query))
“wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period” (Paragraph [0171], Paragraph [0243], and Paragraph [0244] (to perform a search against data stored by cluster, a search head may first obtain information from master node, including a list of active indexers of the cluster and a generation identifier where each indexer receiving the search query may use the generation identifier to identify which generation mapping to consult when searching the buckets stored by the indexer and system stores events in buckets covering specific time ranges or periods, then producing the summaries that can save the work involved in running the query for previous time periods (prior time periods)))
“with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams” (Paragraph [0170], Paragraph [0171] and Paragraph [0243] (where the query seeks events meeting specified criteria, a summary for the time period includes only events within the time period that meet the specified criteria, storing events in buckets covering specific time ranges, then the summaries can be generated on a bucket-by-bucket basis, producing intermediate summaries can save the work involved in running the query for previous time periods and a generation identifier identifies a particular generation mapping which indicates, for each grouped subset of data stored by indexers of the cluster))
“and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier” (Paragraph [0171] and Paragraph [0243] (during each scheduled report update, the query engine determines whether intermediate summaries have been generated covering portions of the time period covered by the report update, producing intermediate summaries can save the work involved in running the query for previous time periods, so advantageously only the newer event data needs to be processed while generating an updated report and a generation identifier identifies a particular generation mapping which indicates, for each grouped subset of data stored by indexers of the cluster)).
It would have been obvious to one of ordinary skill in the art before the effective filing date to take the teachings of Xu and apply them on teachings of Govrin and Bishop for “searching for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier”.  One would be motivated as the report generator allows the user to specify one or more fields within events,  apply statistical analysis on values extracted from the specified one or more fields and may aggregate search results across sets of events) (Xu, Paragraph [0147]).

As per claim 19, the claim is rejected based upon the same rationale given for the parent claim 18 and the claim 2 above.

As per claim 20, the claim is rejected based upon the same rationale given for the parent claim 18 and the claim 3 above.

As per claim 21:
Govrin, Bishop and Xu teach the method as specified in the parent claim 1 above. 
Govrin further teaches:
“based on applying one or more rules to the modified data record, detecting that a threshold value is satisfied by the combined data” (Paragraph [0038] and Paragraph [0089] (collect, filter and analyze huge quantities of data, by defining rules to identify key events and when certain thresholds are exceeded, a rule may be triggered))
“based on detecting that the threshold value is satisfied by the combined data, transmitting an alert to a user device” (Paragraph [0089], Paragraph [0142] and Paragraph [0143] (when a threshold value is exceeded, a rule is triggered and an alert may be sent to customer as SMS or E-mail)).

As per claim 22:
Govrin, Bishop and Xu teach the method as specified in the parent claim 1 above. 
Xu further teaches:
“wherein data that is keyed based on the same particular identifier includes data that is keyed indirectly based on the same particular identifier or data that is keyed directly based on the same particular identifier” (Paragraph [0115] (a keyword index to facilitate fast keyword searching for event data where the indexer includes the identified keywords in an index, which associates each stored keyword with reference pointers to events containing that keyword)).

As per claim 23:
Govrin teaches:
“A method performed by a data processing system for processing data, the method including” Paragraph [0010] (method for analyzing and effectively distributing large quantities of data includes)) 
“intermittently receiving data from one or more data streams, the received data including data records” (Paragraph [0073] (listeners are system specific adaptors that capture external messages from different messaging systems, such as email, chat, instant messaging, online transactions and other data streams)) 
“for at least one detected data record, wherein the at least one detected data record is associated with a particular time” (Paragraph [0021] and Paragraph [0105]) (process huge quantities of records from any external data source (which includes streams), identifying those that may be relevant and discarding the others by using rules defined by users (which may include associated with particular time)))
“executing an application against the data record pre-populated with (i) the combined data that includes the second data received from the one or more data streams and the pre-computed aggregation, and (ii) the data from at least one of the data records in the collection” Paragraph [0046] (analyzes (executes an application) both historic (the pre-computed aggregation) and real-time (the second data received from the one or more data streams) data, stemming from both operational activity and Business Intelligence (the data from at least one of the data records in the collection) which is achieved by interfacing with both internal data repositories (such as Enterprise Resource Planning (ERP) and Customer Relationship Management (CWM)), external data sources (such as suppliers and clients) and this combination results in the creation of Active Intelligence))
 “wherein the executing is independent of a database query, with the executing including applying one or more rules to the pre-populated data record” Paragraph [0095] and Paragraph [0098] (providing a means for analyzing massive volumes of data and allowing active intelligence to incorporate data that has been drawn from the system in its rules))
“based on applying the rules, writing to memory one or more instructions for initiation of one or more actions” (Paragraph [0082] (the solver component utilizes the data stored in the MDPDS to solve the user-defined rules in the most efficient way))
“and publishing the one or more instructions to a queue for initiation of the one or more actions” (Paragraph [0100] (delivers actionable messages directly to the most suitable recipients, based on the defined rules)).
Govrin does not EXPLICITLY discloses: as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier; for that particular identifier, creating a collection of data records that include the detected two or more data records; searching memory for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier; accessing second data from a field in the at least one detected data record associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation; and determining a value of an event aggregation by combining the second data received from the one or more data streams and included in the accessed field of the at least one detected data record that is keyed based on the same particular identifier, with the pre-computed aggregation from memory that is keyed based on the same particular identifier to produce combines data keyed based on the same particular identifier; pre-populating a data record that is keyed based on the same particular identifier by inserting the determined value of event aggregation represented by the combined data that includes the second data received from the one or more data streams and the pre- computed aggregation from memory and that is keyed based on the same particular identifier into a field of the data record, and by inserting data that represents a value of an event and that is from at least one of the data records in the collection into another field of the data record.
However, in an analogous art, Bishop teaches:
“as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier” (Paragraph [0046] and Paragraph [0053] (a task sequence involves collection of data from a large number of entities and subsequent processing of the collected data which is received as continuous near real-time (NRT) data streams and the grouping is on a tuple-by-type basis where each pipeline is identified by a unique pipeline identifier (ID)))
“for that particular identifier, creating a collection of data records that include the detected two or more data records” (Paragraph [0046] and Paragraph [0053] (a task sequence involves collection of data from a large number of entities and the grouping is on a tuple-by-type basis))
“accessing second data from a field in the at least one detected data record associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation” (Paragraph [0054] and Paragraph [0055] (a batch is defined as an assemblage of event tuples partitioned on a time-slice basis and/or a batch-size basis and sequentially queued in a pipeline where a time-slice based definition includes partitioning at least one incoming near real-time (NRT) data stream by its most recently received portion within a time window and a batch is transactional boundary of stream processing within a container, such a transaction is considered to be complete when a batch is completely processed))
“and determining a value of an event aggregation by combining the second data received from the one or more data streams and included in the accessed field of the at least one detected data record that is keyed based on the same particular identifier, with the pre-computed aggregation from memory that is keyed based on the same particular identifier to produce combines data keyed based on the same particular identifier” (Paragraph [0054], Paragraph [0061] and Paragraph [0062] (the “Internet of Things (IoT) platform” is defined as an integrated environment that collects and processes a high volume of data from a plurality of entities in real-time or near real-time, often with low latency where processing logic can be applied to the data (second data received from the one or more data streams) to generate real-time or near real-time analytics that utilizes computation over a combination of stream mode and batch mode to periodically generate aggregates using batch and offline analytics and substitute results from real-time data streams to generate real-time analytics, performing computational tasks like data mining, machine learning, statistical processing, predictive analytics, time series analysis, rule based processing, complex event processing, pattern detection, correlation and more and where a combination of time-size basis and batch-size basis is used to define batches, each batch in a pipeline is identified by a unique batch identifier (ID)))
 “pre-populating a data record that is keyed based on the same particular identifier by inserting the determined value of event aggregation represented by the combined data that includes the second data received from the one or more data streams and the pre- computed aggregation from memory and that is keyed based on the same particular identifier into a field of the data record, and by inserting data that represents a value of an event and that is from at least one of the data records in the collection into another field of the data record” (Paragraph [0054], Paragraph [0118], Paragraph [0146] and Paragraph [0170] (after ingesting (pre-populating), digesting, and applying enterprise context (real-time aggregation) to the data streams, the intelligent outputs are produced and delivered (inserted) in the right form, at the right time, and to the right channel, worker nodes in the worker tier can perform tasks like aggregations, functions and stream groupings and commits to external persistence layers like rich contextual data store, application(s) can include a data manager component that can be configured to insert, delete, and/or update the records stored in the data store and each batch in a pipeline is identified by a unique batch identifier (ID))).
It would have been obvious to one of ordinary skill in the art before the effective filing date to take the teachings of Bishop and apply them on teachings of Govrin for “as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier; for that particular identifier, creating a collection of data records that include the detected two or more data records; accessing second data from a field in the at least one detected data record associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation; and determining a value of an event aggregation by combining the second data received from the one or more data streams and included in the accessed field of the at least one detected data record that is keyed based on the same particular identifier, with the pre-computed aggregation from memory that is keyed based on the same particular identifier to produce combines data keyed based on the same particular identifier; pre-populating a data record that is keyed based on the same particular identifier by inserting the determined value of event aggregation represented by the combined data that includes the second data received from the one or more data streams and the pre- computed aggregation from memory and that is keyed based on the same particular identifier into a field of the data record, and by inserting data that represents a value of an event and that is from at least one of the data records in the collection into another field of the data record”.  One would be motivated as the worker nodes in the worker tier perform various stream processing jobs such as simple data transformation to complex operations such as multi-stream joins and can perform tasks like aggregations, functions and stream groupings (Bishop, Paragraph [0146]).
Govrin and Bishop do not EXPLICITLY teach: searching memory for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier.
However, in an analogous art, Xu teaches:
“searching memory for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams” (Paragraph [0069], Paragraph [0183] and Paragraph [0252] (the system enables users to run queries against the stored data of the data streams to  retrieve events that meet criteria specified in a query, such as containing certain keywords or having specific values in defined fields and summary (aggregation) data may be created and used to improve the ability of indexers to process search queries where the summary (aggregation) data may store one or more "pre-computed" results for a search query))
“wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period” (Paragraph [0171], Paragraph [0243], and Paragraph [0244] (to perform a search against data stored by cluster, a search head may first obtain information from master node, including a list of active indexers of the cluster and a generation identifier where each indexer receiving the search query may use the generation identifier to identify which generation mapping to consult when searching the buckets stored by the indexer and system stores events in buckets covering specific time ranges or periods, then producing the summaries that can save the work involved in running the query for previous time periods (prior time periods)))
“with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams” (Paragraph [0170], Paragraph [0171] and Paragraph [0243] (where the query seeks events meeting specified criteria, a summary for the time period includes only events within the time period that meet the specified criteria, storing events in buckets covering specific time ranges, then the summaries can be generated on a bucket-by-bucket basis, producing intermediate summaries can save the work involved in running the query for previous time periods and a generation identifier identifies a particular generation mapping which indicates, for each grouped subset of data stored by indexers of the cluster))
“and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier” (Paragraph [0171] and Paragraph [0243] (during each scheduled report update, the query engine determines whether intermediate summaries have been generated covering portions of the time period covered by the report update, producing intermediate summaries can save the work involved in running the query for previous time periods, so advantageously only the newer event data needs to be processed while generating an updated report and a generation identifier identifies a particular generation mapping which indicates, for each grouped subset of data stored by indexers of the cluster)).
It would have been obvious to one of ordinary skill in the art before the effective filing date to take the teachings of Xu and apply them on teachings of Govrin and Bishop for “searching memory for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier”.  One would be motivated as the report generator allows the user to specify one or more fields within events,  apply statistical analysis on values extracted from the specified one or more fields and may aggregate search results across sets of events) (Xu, Paragraph [0147]).

As per claim 24:
Govrin teaches:
“A method performed by a data processing system for processing data, the method including” Paragraph [0010] (method for analyzing and effectively distributing large quantities of data includes)) 
“intermittently receiving data from one or more data streams, the received data including data records” (Paragraph [0073] (listeners are system specific adaptors that capture external messages from different messaging systems, such as email, chat, instant messaging, online transactions and other data streams)) 
“for at least one detected data record included in the collection of data records, wherein the at least one detected data record is associated with a particular time” (Paragraph [0021] and Paragraph [0105]) (process huge quantities of records from any external data source (which includes streams), identifying those that may be relevant and discarding the others by using rules defined by users (which may include associated with particular time)))
“accessing a palette that pre-defines multiple events and event aggregations that are available for multiple types of applications” Paragraph [0095], Paragraph [0097] and Paragraph [0098] (a means for analyzing massive volumes of data (palette), enabling the recognition of patterns that match predefined events, and delivering actionable messages to the relevant recipient, including detecting, analyzing, recognizing and targeting, multi-source connects the active intelligence platform directly to any existing data systems and enables interaction with these various data sources simultaneously and dynamic aggregation is evaluated once))
“pre-populating a data record with values for each of the multiple events and event aggregations, including” Paragraph [0019], Paragraph [0021] and Paragraph [0023] (data is processed (pre-populated) according to a process of detecting, analyzing, recognizing and targeting, process huge quantities of records per second from any external data source and to match the impact of each transaction or record against the various models that had been defined by the system's users))
 “processing the pre-populated data record by applying one or more rules to the pre-populated data record” Paragraph [0095] and Paragraph [0098] (providing a means for analyzing massive volumes of data and allowing active intelligence to incorporate data that has been drawn from the system in its rules))
“based on applying the rules, writing to memory one or more instructions for initiation of one or more actions” (Paragraph [0082] (the solver component utilizes the data stored in the MDPDS to solve the user-defined rules in the most efficient way))
“and publishing the one or more instructions to a queue for initiation of the one or more actions” (Paragraph [0100] (delivers actionable messages directly to the most suitable recipients, based on the defined rules)).
Govrin does not EXPLICITLY discloses: as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier; for that particular identifier, creating a collection of data records that include the detected two or more data records; searching memory for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier; accessing second data from a field in the at least one detected data record associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation; and determining a value of an event aggregation by combining the second data received from the one or more data streams and included in the accessed field of the at least one detected data record that is keyed based on the same particular identifier, with the pre-computed aggregation from memory that is keyed based on the same particular identifier to produce combines data keyed based on the same particular identifier; pre-populating a data record that is keyed based on the same particular identifier by inserting the determined value of event aggregation represented by the combined data that includes the second data received from the one or more data streams and the pre- computed aggregation from memory and that is keyed based on the same particular identifier into a field of the data record, and by inserting data that represents a value of an event and that is from at least one of the data records in the collection into another field of the data record.
However, in an analogous art, Bishop teaches:
“as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier” (Paragraph [0046] and Paragraph [0053] (a task sequence involves collection of data from a large number of entities and subsequent processing of the collected data which is received as continuous near real-time (NRT) data streams and the grouping is on a tuple-by-type basis where each pipeline is identified by a unique pipeline identifier (ID)))
“for that particular identifier, creating a collection of data records that include the detected two or more data records” (Paragraph [0046] and Paragraph [0053] (a task sequence involves collection of data from a large number of entities and the grouping is on a tuple-by-type basis))
“accessing second data from a field in the at least one detected data record associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation” (Paragraph [0054] and Paragraph [0055] (a batch is defined as an assemblage of event tuples partitioned on a time-slice basis and/or a batch-size basis and sequentially queued in a pipeline where a time-slice based definition includes partitioning at least one incoming near real-time (NRT) data stream by its most recently received portion within a time window and a batch is transactional boundary of stream processing within a container, such a transaction is considered to be complete when a batch is completely processed))
“and determining a value of an event aggregation by combining the second data received from the one or more data streams and included in the accessed field of the at least one detected data record that is keyed based on the same particular identifier, with the pre-computed aggregation from memory that is keyed based on the same particular identifier to produce combines data keyed based on the same particular identifier” (Paragraph [0054], Paragraph [0061] and Paragraph [0062] (the “Internet of Things (IoT) platform” is defined as an integrated environment that collects and processes a high volume of data from a plurality of entities in real-time or near real-time, often with low latency where processing logic can be applied to the data (second data received from the one or more data streams) to generate real-time or near real-time analytics that utilizes computation over a combination of stream mode and batch mode to periodically generate aggregates using batch and offline analytics and substitute results from real-time data streams to generate real-time analytics, performing computational tasks like data mining, machine learning, statistical processing, predictive analytics, time series analysis, rule based processing, complex event processing, pattern detection, correlation and more and where a combination of time-size basis and batch-size basis is used to define batches, each batch in a pipeline is identified by a unique batch identifier (ID)))
 “pre-populating a data record that is keyed based on the same particular identifier by inserting the determined value of event aggregation represented by the combined data that includes the second data received from the one or more data streams and the pre- computed aggregation from memory and that is keyed based on the same particular identifier into a field of the data record, and by inserting data that represents a value of an event and that is from at least one of the data records in the collection into another field of the data record” (Paragraph [0054], Paragraph [0118], Paragraph [0146] and Paragraph [0170] (after ingesting (pre-populating), digesting, and applying enterprise context (real-time aggregation) to the data streams, the intelligent outputs are produced and delivered (inserted) in the right form, at the right time, and to the right channel, worker nodes in the worker tier can perform tasks like aggregations, functions and stream groupings and commits to external persistence layers like rich contextual data store, application(s) can include a data manager component that can be configured to insert, delete, and/or update the records stored in the data store and each batch in a pipeline is identified by a unique batch identifier (ID))).
It would have been obvious to one of ordinary skill in the art before the effective filing date to take the teachings of Bishop and apply them on teachings of Govrin for “as data from the one or more data streams continue to be received, detecting in the received data records, two or more data records that are each keyed based on a particular identifier; for that particular identifier, creating a collection of data records that include the detected two or more data records; accessing second data from a field in the at least one detected data record associated with the particular time that is after or the same as the end of the prior time period that includes the given times associated with the least some of the first data of the pre-computed aggregation; and determining a value of an event aggregation by combining the second data received from the one or more data streams and included in the accessed field of the at least one detected data record that is keyed based on the same particular identifier, with the pre-computed aggregation from memory that is keyed based on the same particular identifier to produce combines data keyed based on the same particular identifier; pre-populating a data record that is keyed based on the same particular identifier by inserting the determined value of event aggregation represented by the combined data that includes the second data received from the one or more data streams and the pre- computed aggregation from memory and that is keyed based on the same particular identifier into a field of the data record, and by inserting data that represents a value of an event and that is from at least one of the data records in the collection into another field of the data record”.  One would be motivated as the worker nodes in the worker tier perform various stream processing jobs such as simple data transformation to complex operations such as multi-stream joins and can perform tasks like aggregations, functions and stream groupings (Bishop, Paragraph [0146]).
Govrin and Bishop do not EXPLICITLY teach: searching memory for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier.
However, in an analogous art, Xu teaches:
“searching memory for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams” (Paragraph [0069], Paragraph [0183] and Paragraph [0252] (the system enables users to run queries against the stored data of the data streams to  retrieve events that meet criteria specified in a query, such as containing certain keywords or having specific values in defined fields and summary (aggregation) data may be created and used to improve the ability of indexers to process search queries where the summary (aggregation) data may store one or more "pre-computed" results for a search query))
“wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period” (Paragraph [0171], Paragraph [0243], and Paragraph [0244] (to perform a search against data stored by cluster, a search head may first obtain information from master node, including a list of active indexers of the cluster and a generation identifier where each indexer receiving the search query may use the generation identifier to identify which generation mapping to consult when searching the buckets stored by the indexer and system stores events in buckets covering specific time ranges or periods, then producing the summaries that can save the work involved in running the query for previous time periods (prior time periods)))
“with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams” (Paragraph [0170], Paragraph [0171] and Paragraph [0243] (where the query seeks events meeting specified criteria, a summary for the time period includes only events within the time period that meet the specified criteria, storing events in buckets covering specific time ranges, then the summaries can be generated on a bucket-by-bucket basis, producing intermediate summaries can save the work involved in running the query for previous time periods and a generation identifier identifies a particular generation mapping which indicates, for each grouped subset of data stored by indexers of the cluster))
“and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier” (Paragraph [0171] and Paragraph [0243] (during each scheduled report update, the query engine determines whether intermediate summaries have been generated covering portions of the time period covered by the report update, producing intermediate summaries can save the work involved in running the query for previous time periods, so advantageously only the newer event data needs to be processed while generating an updated report and a generation identifier identifies a particular generation mapping which indicates, for each grouped subset of data stored by indexers of the cluster)).
It would have been obvious to one of ordinary skill in the art before the effective filing date to take the teachings of Xu and apply them on teachings of Govrin and Bishop for “searching memory for a pre-computed aggregation of first data that is keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; wherein at least some of the first data of the pre-computed aggregation are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams and are each associated with a given time from a prior time period; with the prior time period being defined as a range of given times associated with the at least some of the first data of the pre-computed aggregation that are keyed based on the same particular identifier as the two or more data records detected in the one or more data streams; and wherein the end of the prior time period is prior to or the same as the particular time associated with the at least one data record that is detected in the one or more data streams and that is keyed based on the same particular identifier”.  One would be motivated as the report generator allows the user to specify one or more fields within events,  apply statistical analysis on values extracted from the specified one or more fields and may aggregate search results across sets of events) (Xu, Paragraph [0147]).



Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Siripurapu et al, (US PGPUB 20120131139), it allows performance of stream computations on real-time data streams using one or more map operations and/or one or more update operations. A map operation is a stream computation in which stream events in one or more real-time data streams are processed in a real-time manner to generate zero, one or more new stream events. An update operation is a stream computation in which stream events in one or more real-time data streams are processed in a real-time manner to create or update one or more static "slate" data structures that are stored in a durable manner.
Mills Michael, (US PGPUB 20130262035), a time series of measurement data is received from a source device via a wide-area network. At least two streams of a data storage arrangement associated with the measurement data are determined. One of the streams is configured as a base stream having a time intervals corresponding to the time series of measurement data, and another is configured as a first rollup stream having time intervals each including a fixed plurality of the time intervals of the base stream.
Zhang et al, (US PGPUB 20160179898), the present application relates to a distributed data stream processing method, a distributed data stream processing device, a computer program product for processing a raw data stream and a distributed data stream processing system. A distributed data stream processing method is provided. The method includes dividing a raw data stream into a real-time data stream and historical data streams, processing the real-time data stream and the historical data streams in parallel, separately generating respective results of the processing of the real-time data stream and the historical data streams.
Wing et al, (US PGPUB 20200082340), it relates to storing a machine-readable declarative specification of stateful event processing of an automated multi-step progression of monitoring of Internet of Things (IoT) devices that generate events. It includes compiling into tangible memory, in response to the declarative specification, a state processing network that implements a multi-step progression of monitoring events generated by the IoT devices. The state processing network implements both the time based transition triggers and the event based transition triggers after being initiated by the IoT devices. Further, data structures, which record monitoring status of particular IoT devices, are compiled.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KAMAL K DEWAN whose telephone number is (571) 272-2196.  The examiner can normally be reached on Mon-Fri 8:00 AM – 5:00 PM (EST).  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, TONY MAHMOUDI can be reached on 571-272-4078.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Kamal K Dewan/
Examiner, Art Unit 2163


/TONY MAHMOUDI/Supervisory Patent Examiner, Art Unit 2163