Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Information Disclosure Statement
The IDS filed 12/02/2021 has been considered as noted on the attached PTO-1449.
Claims 1-20 have been examined.
This action is made FINAL.

Claim Rejections – 35 USC § 101
In light of the claim amendments the 101 rejections to claims 1-20 have been withdrawn.

Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over by Molander et al. [US 20180375999 A1, July 31, 2018], in view of Bath et al. [US 20180314726 A1, 2018-11-01].

obtaining a message via a data stream ([0100] a forwarder may receive a data stream from a log file generated by an application server, from a stream of network data from a network device, or from any other source of data); analyzing the message to identify a data portion within the message to add to a lookup table [e.g. segment the data stream into "blocks", or "buckets,"] ([0100] a forwarder receives the raw data and may segment the data stream into "blocks", or "buckets," possibly of a uniform data size, to facilitate subsequent processing steps); writing the data portion to the lookup table to generate an enhanced lookup table with data from the message [e.g. generate an annotated data blocks] ([0101-0103] a forwarder or other system component annotates each block generated from the raw data with one or more metadata fields….a forwarder forwards the annotated data blocks to another system component (typically an indexer) for further processing….a forwarder may contain the essential components needed to forward data. It can gather data from a variety of inputs and forward the data to a server for indexing and searching. It also can tag metadata (e.g., source, source type, host, etc.));

Molander does not teach using the generated enhanced lookup table to lookup a data value corresponding with the data portion to append to the message to enrich the message and a subsequently received message. 
Bath teaches using the generated enhanced lookup table to lookup a data value corresponding with the data portion to append to the message to enrich the message and a subsequently received message ([0121] the data structures that map metadata fields to pre-stored values may be implemented as a lookup table, such as a key-value lookup table, that maps fields (keys) in events to pre-determined values in the table, and automatically appends or replaces the data values of the keys in the events with the mapped value in the table. An instance or a local copy of the data structure (lookup table) may be stored in each search head and indexer in the search environment. In large deployments or deployments where the data in the lookup tables are referenced frequently, or when the key-values are modified, the lookup tables must be frequently updated and synchronized to maintain the integrity of the data stored. Otherwise, translations with obsolete (and thus inaccurate) values may be performed, or currently available translations may not be successfully applied with obsolete lookup tables. FIG. 4 is a flow diagram that illustrates an exemplary process that a search head may perform to synchronize a key-value data structure across the search environment).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention to modify the system of Molander with automatic processing of appending or replacing data of the lookup table of Bath. Such a modification would update a pre-existing lookup table of search heads in the search environment.
Molander as modified by Bath further teaches:
outputting the enriched message having the appended data value (Molander [0118-0119] the indexers to which the query was distributed, search data stores associated with them for events that are responsive to the query. To determine which events are responsive to the query, the indexer searches for events that match the criteria specified in the query. These criteria can include matching keywords or specific values for certain fields. The searching operations at block 408 may use the late-binding schema to extract values for specified fields from events at the time the query is processed. In an embodiment, one or more rules for extracting field values may be specified as part of a source type definition….
the search head combines the partial results and/or events received from the indexers to produce a final result for the query. This final result may comprise different types of data depending on what the query requested. For example, the results can include a listing of matching events returned by the query, or some type of visualization of the data from the returned events. In another example, the final result can include one or more calculated values derived from the matching events) such that the enriched message is subsequently searched and/or indexed (Molander [0120] the results generated by the system 108 can be returned to a client using different techniques. For example, one technique streams results or relevant events back to a client in real-time as they are identified. Another technique waits to report the results to the client until a complete set of results (which may include a set of relevant events or a result based on relevant events) is ready to return to the client. Yet another technique streams interim results or relevant events back to the client in real-time until a complete set of results is ready, and then returns the complete set of results to the client. In another technique, certain results are stored as “search jobs” and the client may retrieve the results by referring the search jobs).

With respect to dependent claim 2, Molander as modified by Bath further teaches wherein the message comprises raw machine data generated by one or more components in an information technology environment (Molander [0061] each event can be associated with a timestamp that is derived from the raw data in the event, determined through interpolation between temporally proximate events having known timestamps, or determined based on other configurable rules for associating timestamps with events, etc.).

With respect to dependent claim 3, Molander as modified by Bath further teaches wherein the message is obtained via a streaming data processor that processes data for searching and/or indexing (Molander [0123] the search head 210 allows users to search and visualize event data extracted from raw machine data received from homogenous data sources. It also allows users to search and visualize event data extracted from raw machine data received from heterogeneous data sources. The search head 210 includes various mechanisms, which may additionally reside in an indexer 206, for processing a query).

With respect to dependent claim 4, Molander as modified by Bath further teaches wherein the data portion within the message is identified based on a message field indicating a field in the message for which a value is to be written to the lookup table (Molander [0065] The system stores the timestamped events in a data store. The system enables users to run queries against the stored data to, for example, retrieve events that meet criteria specified in a query, such as containing certain keywords or having specific values in defined fields).

With respect to dependent claim 5, Molander as modified by Bath further teaches wherein the data portion within the message is identified based on a message field selected via user input (Molander [0139] data models may be selected in a report generation interface. The report generator supports drag-and-drop organization of fields to be summarized in a report. When a model is selected, the fields with available extraction rules are made available for use in the report. The user may refine and/or filter search results to produce more precise reports).

With respect to dependent claim 6, Molander as modified by Bath further teaches wherein a lookup sink function is used to analyze the message and write the data portion to the lookup table, the lookup sink function including a lookup field indicator and a message field indicator (Molander [0061] machine-generated data are collected and stored as "events". An event comprises a portion of the machine-generated data and is associated with a specific point in time…).

With respect to dependent claim 7, Molander as modified by Bath further teaches executing a predicate to determine whether to write at least a portion of the message to the lookup table (Molander [0061] each event can be associated with a timestamp that is derived from the raw data in the event, determined through interpolation between temporally proximate events having known timestamps, or determined based on other configurable rules for associating timestamps with events, etc.
Molander [0251] an effect on the call center is predicted based on the environment. The effect may be the predicted volume of calls to the call center, the amount of time to process each call, or other effect. Predicting the effect may be performed using machine learning. In other words, a set of training data based on historical events may be obtained. The historical events may include the environment and the call center interaction data at the time of the existence of the environment….).

With respect to dependent claim 8, Molander as modified by Bath further teaches executing a predicate to determine whether to write at least a portion of the message to the lookup table, the predicate selected via user input (Molander [0065] the system stores the timestamped events in a data store. The system enables users to run queries against the stored data to, for example, retrieve events that meet criteria specified in a query, such as containing certain keywords or having specific values in defined fields…
Molander [0251] Predicting the effect may be performed using machine learning….).

With respect to dependent claim 9, Molander as modified by Bath further teaches wherein the lookup table comprises a key-value lookup table (Molander [0112] the keyword index may include entries for name -value pairs found in events, where a name -value pair can include a pair of keywords connected by a symbol, such as an equals sign or colon. This way, events containing these name-value pairs can be quickly located…).

With respect to dependent claim 10, Molander as modified by Bath further teaches wherein the message is obtained via a streaming data processor that processes messages one at a time (Molander [0198] processing the rule results in the matching entity definitions being associated with the service definition. The rule can be processed at creation time, and thereafter on a scheduled or on-demand basis. This allows dynamic, rule-based updates to the service definition).

With respect to dependent claim 11, Molander as modified by Bath further teaches wherein the lookup of the data value is performed via a lookup function that includes an indication of a field, in the enhanced lookup table, for which to lookup the data value (Molander [0065] the system stores the timestamped events in a data store. The system enables users to run queries against the stored data to, for example, retrieve events that meet criteria specified in a query, such as containing certain keywords or having specific values in defined fields. As used herein throughout, data that is part of an event is referred to as "event data". In this context, the term "field" refers to a location in the event data containing one or more values for a specific data item…).

With respect to dependent claim 12, Molander as modified by Bath further teaches wherein the enhanced lookup table is used to lookup the data value to append to the message before a new message is analyzed for identifying data within the new message to further enhance the lookup table (Molander [0067] as a user learns more about the data in the events, the user can continue to refine the late-binding schema by adding new fields, deleting fields, or modifying the field extraction rules for use the next time the schema is used by the system).

With respect to dependent claim 13, Molander as modified by Bath further teaches wherein writing the data portion to the lookup table is performed in an append mode or a replace mode (Bath [0121] the data structures that map metadata fields to pre-stored values may be implemented as a lookup table, such as a key-value lookup table, that maps fields (keys) in events to pre-determined values in the table, and automatically appends or replaces the data values of the keys in the events with the mapped value in the table…).

With respect to dependent claim 14, Molander as modified by Bath further teaches wherein the lookup of the data value is performed via a temporal lookup function that a field match and a time-based comparison (Molander [0061] machine-generated data are collected and stored as "events". An event comprises a portion of the machine-generated data and is associated with a specific point in time. For example, events may be derived from " time series data," where the time series data comprises a sequence of data points (e.g., performance measurements from a computer system, etc.) that are associated with successive points in time).

With respect to dependent claim 15, Molander as modified by Bath further teaches wherein the lookup of the data value is performed via a temporal lookup that includes a time-based match, wherein a match is identified when a time associated with a record in the enhanced lookup table is closest to, but before, a time indicated in the message (Molander [0061] each event can be associated with a timestamp that is derived from the raw data in the event, determined through interpolation between temporally proximate events having known timestamps, or determined based on other configurable rules for associating timestamps with events, etc.).

With respect to dependent claim 16, Molander as modified by Bath further teaches wherein the data value to append to the message corresponds with the data portion of the message written to the lookup table (Molander [0104] the forwarder can parse data before forwarding the data (e.g., associate a time stamp with a portion of data and create an event, etc.) and can route data based on criteria such as source or type of event. It can also index data locally while forwarding the data to another indexer.

Regarding claims 18 and 20; the instant claims recite substantially same limitations as the above rejected claims 12 & 16 and are therefore rejected under the same prior-art teachings.

Response to Amendment
In response to the 11/09/2021 office action claims 1, 17 and 19 have been amended, no new claim has been added, and no claim has been cancelled. Claims 1-20 are currently pending and stand rejected.

Response to Arguments
Applicant’s arguments filed on 03/07/2022 have been considered. 
The arguments are drawn to the newly recited limitations. The new ground of rejection as necessitated by the new limitation is presented herein.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SOHEILA G DAVANLOU whose telephone number is (571)270-5155. The examiner can normally be reached Monday - Friday, 9:00am - 6:00 Eastern Time..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alford Kindred can be reached on (571)272-4037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

SOHEILA G DAVANLOU
Examiner
Art Unit 2153

/KRIS E MACKES/Primary Examiner, Art Unit 2153