Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1.  This action is in response to the application filed 1/7/2021.
2.  Claims 1-20 have been examined and are pending in the application.

Claim Rejections - 35 USC § 112
The following is a quotation of the second paragraph of 35 U.S.C. 112:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


3.  Claim 11 is rejected under 35 U.S.C. 112, second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.
A.  The following terms lack antecedent basis:	
(i) the feature vectors (line 2).  Correction is required.
B.  The applicant recites “The log/event-message system of claim 6” on line 1, which is an inappropriate dependent.  For the purpose of art rejection, it is interpreted as “The log/event-message system of claim 7” as best understood and as it appears to be.  Correction is required.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


4.  Claims 1-6, 13 and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Di Pietro U.S Publication No. 2019/0171169.
As to claim 1, Di Pietro teaches an improved log/event-message system, within a distributed computer system (…architecture 400 for dynamically adjusting sample rates in a network assurance system…, paragraph 0062 page 6), that collects log/event messages (…During normal operation of architecture 400, network elements 402 may provide the collected data 334 for analysis on a push basis. That is to say that a given report may be sent for analysis without first receiving a specific request for the information. For example, a measurement taken by a network element 402 may be sent to network data collection platform 304 as part of a data reporting stream that is provided automatically…, paragraph 0079 page 7) from log/event-message sources (…network elements 402 may include wireless APs, WLC, switches, routers, or the like…, paragraph 0063 page 6) within the distributed computer system, stores the collected log/event messages (…network data collection platform 304 may receive collected data 334 on a push and/or pull basis, as desired. Network data collection platform 304 may prepare and store the collected data 334 for processing by cloud service 302…, paragraph 0044 page 4), and provides query-based access to the stored log/event-messages (…Cloud service 302 may also include output and visualization interface 318 configured to provide sensory data to a network administrator or other user via one or more user interface devices (e.g., an electronic display, a keypad, a speaker, etc.). For example, interface 318 may present data indicative of the state of the monitored network, current or predicted issues in the network (e.g., the violation of a defined rule, etc.), insights or suggestions regarding a given condition or issue in the network, etc. Cloud service 302 may also receive input parameters from the user via interface 318 that control the operation of system 300 and/or the monitored network itself. For example, interface 318 may receive an instruction or other indication to adjust/retrain one of the models of analyzer 312 from interface 318 (e.g., the user deems an alert/rule violation as a false positive)…, paragraph 0053 page 5), the log/event-message system comprising: 
one or more message-ingestion-and-processing systems (…cloud service 302 may include a data mapper and normalizer 314 that receives the collected and/or anonymized data 336 from network data collection platform 304. In turn, data mapper and normalizer 314 may map and normalize the received data into a unified data model for further processing by cloud service 302…, paragraph 0045 page 4), incorporated within one or more computer systems, which each receives data (…During normal operation of architecture 400, network elements 402 may provide the collected data 334 for analysis on a push basis. That is to say that a given report may be sent for analysis without first receiving a specific request for the information. For example, a measurement taken by a network element 402 may be sent to network data collection platform 304 as part of a data reporting stream that is provided automatically…, paragraph 0079 page 7) from one or more message collectors, and stores the received data in a database (…network data collection platform 304 may receive collected data 334 on a push and/or pull basis, as desired. Network data collection platform 304 may prepare and store the collected data 334 for processing by cloud service 302. In some cases, network data collection platform may also anonymize collected data 334 before providing the anonymized data 336 to cloud service 302…, paragraph 0044 page 4); and 
multiple message collectors (network data collection platform 304, Figs. 4 and 5A-5E and associated specifications), incorporated within one or more computer systems, which each receives log/event messages (…During normal operation of architecture 400, network elements 402 may provide the collected data 334 for analysis on a push basis. That is to say that a given report may be sent for analysis without first receiving a specific request for the information. For example, a measurement taken by a network element 402 may be sent to network data collection platform 304 as part of a data reporting stream that is provided automatically…, paragraph 0079 page 7) from the log/event-message sources (…network elements 402 may include wireless APs, WLC, switches, routers, or the like…, paragraph 0063 page 6), and forwards the log/event messages to one or more of one or more message-ingestion-and-processing systems (…network data collection platform 304 may receive collected data 334 on a push and/or pull basis, as desired. Network data collection platform 304 may prepare and store the collected data 334 for processing by cloud service 302. In some cases, network data collection platform may also anonymize collected data 334 before providing the anonymized data 336 to cloud service 302…, paragraph 0044 page 4); and 
one or more sampler systems that sample log/event messages for downstream processing and storage (…data resampling engine 406 and data polling engine 410 may be implemented as part of network data collection platform 304…, paragraph 0062 page 6) and that periodically automatically regenerates sampling rates that control log/event-message sampling (…dynamic adjustment of sample rates in a machine learning-based network assurance system, based on the performance of the machine learning model(s) at the core of the system…, paragraph 0059 page 6; …architecture 400 may adjust the sample rate of the input data to machine learning-based analyzer 312 by dynamically polling network elements 402 for additional data that can be interleaved into the data stream with the data reported on a push basis. For example, by polling network entities 402 at a rate that is equal to that of the rate at which network entities 402 report captured data on a push basis, and interleaving the results, the sample rate at which machine learning-based analyzer 312 receives captured data for consumption can be effectively doubled. In another embodiment, architecture 400 may also implement a feedback loop, to detect the right polling frequency for the additional data. In particular, once the additional polling based feed have been put in place, DRCP 408 may notify machine learning-based analyzer 312 that additional data is being provided through explicit polling. In turn, machine learning-based analyzer 312 may monitor the impact of this sample rate change and verify that the sample rate issues have indeed been resolved. If not, machine learning-based analyzer 312 may send another insufficient sample rate notification to DRCP 408 with a flag set to increase the sample rate even further…, paragraphs 0115-0116 page 8). 
As to claim 2, Di Pietro further teaches log/event-message sources include: message-generation-and-reporting components of hardware components of the distributed computer system, including network routers and bridges, network-attached storage devices, network-interface controllers, and other hardware components and devices (…network elements 402 may include wireless APs, WLC, switches, routers, or the like…, paragraph 0063 page 6); and 
message-generation-and-reporting components within computer-instruction-implemented components of the distributed computer system, including virtualization layers, operating systems, and applications running within servers and other types of computer systems (characterize such patterns by the nature of the device (e.g., device type, OS) according to the place in the network, time of day, routing topology, type of AP/WLC, etc., and potentially correlated with other network metrics (e.g., application, QoS, etc.)…paragraph 0048 page 5). 
As to claim 3, Di Pietro further teaches log/event-messages include text, alphanumeric values, and/or numeric values that represent various types of information, including notification of completed actions, errors, anomalous operating behaviors and conditions, various types of computational events, and warnings (…During normal operation of architecture 400, network elements 402 may provide the collected data 334 for analysis on a push basis. That is to say that a given report may be sent for analysis without first receiving a specific request for the information. For example, a measurement taken by a network element 402 may be sent to network data collection platform 304 as part of a data reporting stream that is provided automatically…, paragraph 0079 page 7). 
As to claim 4, Di Pietro further teaches each of the one or more sampler systems (…data resampling engine 406 and data polling engine 410 may be implemented as part of network data collection platform 304…, paragraph 0062 page 6) is incorporated in a different message collector of the multiple message collectors (network data collection platform 304, Figs. 4 and 5A-5E and associated specifications). 
As to claim 5, Di Pietro further teaches each of the one or more sampler systems (…data resampling engine 406 and data polling engine 410 may be implemented as part of network data collection platform 304…, paragraph 0062 page 6) is incorporated in a different message-ingestion-and-processing system of the one or more message-ingestion-and-processing systems (…cloud service 302 may include a data mapper and normalizer 314 that receives the collected and/or anonymized data 336 from network data collection platform 304. In turn, data mapper and normalizer 314 may map and normalize the received data into a unified data model for further processing by cloud service 302…, paragraph 0045 page 4). 
As to claim 6, Di Pietro further teaches each of the one or more sampler systems receives an input stream of log/event messages and outputs a sampled output stream of log/event messages (…sent to network data collection platform 304 as part of a data reporting stream that is provided automatically…, paragraph 0079 page 7; …architecture 400 may adjust the sample rate of the input data to machine learning-based analyzer 312 by dynamically polling network elements 402 for additional data that can be interleaved into the data stream with the data reported on a push basis. For example, by polling network entities 402 at a rate that is equal to that of the rate at which network entities 402 report captured data on a push basis, and interleaving the results, the sample rate at which machine learning-based analyzer 312 receives captured data for consumption can be effectively doubled…, paragraph 0115 page 8). 
As to claim 13, Di Pietro teaches a method, carried out by a sampler system (…data resampling engine 406 and data polling engine 410 may be implemented as part of network data collection platform 304…, paragraph 0062 page 6) that samples log/event messages (…During normal operation of architecture 400, network elements 402 may provide the collected data 334 for analysis on a push basis. That is to say that a given report may be sent for analysis without first receiving a specific request for the information. For example, a measurement taken by a network element 402 may be sent to network data collection platform 304 as part of a data reporting stream that is provided automatically…, paragraph 0079 page 7) within a log/event-message system, incorporated in a distributed computer system (…architecture 400 for dynamically adjusting sample rates in a network assurance system…, paragraph 0062 page 6), that collects log/event messages from log/event-message sources (…network elements 402 may include wireless APs, WLC, switches, routers, or the like…, paragraph 0063 page 6) within the distributed computer system, stores the collected log/event messages (…network data collection platform 304 may receive collected data 334 on a push and/or pull basis, as desired. Network data collection platform 304 may prepare and store the collected data 334 for processing by cloud service 302. In some cases, network data collection platform may also anonymize collected data 334 before providing the anonymized data 336 to cloud service 302…, paragraph 0044 page 4), and provides query-based access to the stored log/event-messages (…Cloud service 302 may also include output and visualization interface 318 configured to provide sensory data to a network administrator or other user via one or more user interface devices (e.g., an electronic display, a keypad, a speaker, etc.). For example, interface 318 may present data indicative of the state of the monitored network, current or predicted issues in the network (e.g., the violation of a defined rule, etc.), insights or suggestions regarding a given condition or issue in the network, etc. Cloud service 302 may also receive input parameters from the user via interface 318 that control the operation of system 300 and/or the monitored network itself. For example, interface 318 may receive an instruction or other indication to adjust/retrain one of the models of analyzer 312 from interface 318 (e.g., the user deems an alert/rule violation as a false positive)…, paragraph 0053 page 5), the log/event-message system, the method comprising: 
receiving an input stream of log/event messages, sampling the input stream of log/event messages to generate a sampled output stream of log/event messages (…sent to network data collection platform 304 as part of a data reporting stream that is provided automatically…, paragraph 0079 page 7; …architecture 400 may adjust the sample rate of the input data to machine learning-based analyzer 312 by dynamically polling network elements 402 for additional data that can be interleaved into the data stream with the data reported on a push basis. For example, by polling network entities 402 at a rate that is equal to that of the rate at which network entities 402 report captured data on a push basis, and interleaving the results, the sample rate at which machine learning-based analyzer 312 receives captured data for consumption can be effectively doubled…, paragraph 0115 page 8); and 
periodically automatically regenerating sampling rates that control log/event-message sampling (…dynamic adjustment of sample rates in a machine learning-based network assurance system, based on the performance of the machine learning model(s) at the core of the system…, paragraph 0059 page 6; …architecture 400 may adjust the sample rate of the input data to machine learning-based analyzer 312 by dynamically polling network elements 402 for additional data that can be interleaved into the data stream with the data reported on a push basis. For example, by polling network entities 402 at a rate that is equal to that of the rate at which network entities 402 report captured data on a push basis, and interleaving the results, the sample rate at which machine learning-based analyzer 312 receives captured data for consumption can be effectively doubled. In another embodiment, architecture 400 may also implement a feedback loop, to detect the right polling frequency for the additional data. In particular, once the additional polling based feed have been put in place, DRCP 408 may notify machine learning-based analyzer 312 that additional data is being provided through explicit polling. In turn, machine learning-based analyzer 312 may monitor the impact of this sample rate change and verify that the sample rate issues have indeed been resolved. If not, machine learning-based analyzer 312 may send another insufficient sample rate notification to DRCP 408 with a flag set to increase the sample rate even further…, paragraphs 0115-0116 page 8). 
As to claim 20, note the discussion of claim 13 above. 

Allowable Subject Matter
5.  Claims 7-12 and 14-19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
U.S Patent No. 9,588,504 discloses identifying, configuring, monitoring, controlling, and maintaining machines that include a collection of modular components.
U.S Patent No. 10,108,522 discloses a sampling technique to adjust application sampling rate.
U.S Publication No. 2006/0271592 discloses a networked computing system for reporting software events occurring on a client computer to a collection service.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Andy Ho whose telephone number is (571) 272-3762.  A voice mail service is also available for this number.  The examiner can normally be reached on Monday – Friday, 8:30 am – 5:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Hyung Sough can be reached on (571) 272-6799. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIM) system. Status information for published applications may be obtained from either Private PAIR or' Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Any inquiry of a general nature or relating to the status of this application or proceeding should be directed to the receptionist whose telephone number is 571-272-2100.
Any response to this action should be mailed to:
Commissioner for Patents 
P.O Box 1450
Alexandria, VA 22313-1450
	Or fax to:
AFTER-FINAL faxes must be signed and sent to (571) 273 - 8300.
OFFICAL faxes must be signed and sent to (571) 273 - 8300.
NON OFFICAL faxes should not be signed, please send to (571) 273 – 3762

/Andy Ho/
Primary Examiner
Art Unit 2194