DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA  and is in response to communications filed on 3/30/2022 in which claims 1-20, 22-23, 25-26, and 28-29 are presented for examination.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 3/30/2022 has been entered.
 
Priority
Acknowledgment is made of parent Application No. 13/956,338, filed on 7/31/2013.

Drawings
Drawings have been acknowledged and are acceptable for examination purposes.

Specification
Specification has been acknowledged and is acceptable for examination purposes.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-20, 22-23, 25-26, and 28-29 are rejected under 35 U.S.C. 103 as being unpatentable over Carasso, “Exploring Splunk” (hereinafter referred to as “Carasso”) in view of Ginter et al. US 20050015624 A1 (hereinafter referred to as “Ginter”).

As per claim 1, Carasso teaches:
A computer-implemented method comprising: 
in response to the selection: 
generating a search query based on the metric, the search query including a criterion for a field value (Carasso, pg. 57, paragraph 2 – By entering the kinds of values you seek (such as a client IP address in web logs), Splunk generates a regular expression that extracts similar values, wherein this is interpreted as generating a search query including a criterion for a field value.  Pg. 58 – The statistics associated with the values are also part of the criterion), 
identifying events of interest from a set of machine data containing a plurality of events, by identifying instances in which the field value in events in the set of machine data matches the criterion in the search query (Carasso, pg. 55, paragraph 2 – Machine data.  Pg. 57, paragraph 2 – By entering the kinds of values you seek (such as a client IP address in web logs), Splunk generates a regular expression that extracts similar values, wherein this is interpreted as generating a search query based on selection of metrics), and 
calculating a first value for the metric from the identified events of interest (Carasso, pg. 69, paragraph 7 – The user can track whether a certain number of things happen within a certain time period),
the first value corresponding to a number of events associated with the metric at a first time of a configurable time period (Carasso, pg. 69 fig. 5-10 shows “trigger if” options which allow the user to specify the threshold.  The rolling window also comprises a first point in time and a second point in time which are continually moving in conjunction with one another, wherein the first point in time is interpreted as a first time that is associated with a first value which is constantly being monitored for changes); 
calculating a second value for the metric, the second value corresponding to a number of events associated with the metric at a second time of the configurable time period (Carasso, pg. 69, paragraph 7 – The rolling window comprises a first point in time and a second point in time which are continually moving in conjunction with one another, wherein the second point in time is interpreted as the second time of the configurable time period);
determining a change value based on the difference between the second value and the first value (Carasso, pg. 69, paragraph 7 – The alert is triggered when there’s a change in value from the first point in time and the second point in time that exceeds a threshold);
determining a relationship between the second value and a first threshold (Carasso, pg. 69, paragraph 5 – A threshold for a total number of events regardless of any time period or rolling time window is interpreted as a first threshold, wherein this would also correspond to the second point in time of the rolling window as well as the second value that corresponds to the second point in time, but without taking account of the first value or first point in time.  See also pg. 72 with different alert conditions, wherein a simple “is greater than” condition is interpreted as the first threshold); and
determining a relationship between the change value and a second threshold (Carasso, pg. 69, paragraph 7 – The alert is triggered when there’s a change in value from the first point in time and the second point in time that exceeds a threshold); and 
causing display of an identifier of the metric, an indication of the second value, an indication of the change value, an indication of the relationship between the second value and the first threshold, and an indication of the relationship between the change value and the second threshold (Carasso, pg. 69, paragraphs 5-7 – A threshold for a total number of events regardless of any time period or rolling time window is interpreted as a first threshold, wherein this would also correspond to the second point in time of the rolling window as well as the second value that corresponds to the second point in time, but without taking account of the first value or first point in time.  This way, if both the first alert condition happens, which is the total number of events, and the second alert condition happens, which is the number of events which exceed the threshold within a time period, this would mean both thresholds overlapped and are triggered.  The user would then see that both first and second alerts were triggered.  See also pg. 72 with different alert conditions, wherein a simple “is greater than” condition is interpreted as the first threshold.  This page also states that a "rises by" or "falls by" condition can be added which allows one to “set alerts for conditions that are relative (it’s often not the absolute number as much as a doubling or tripling that you want to be alerted about).).
It would have been obvious for one of ordinary skill in the art at the time of the filing of the application to modify Exploring Splunk’s invention in view of itself in order to configure a window of time for displaying metrics with first and second alerts; this is combining two known elements which would yield the predictable result of displaying two alerts at once, thereby notifying the user that a dire situation has occurred, and it’s also advantageous because it allows the user to create a regular expression without knowing the syntax and to see alerts that happen within a time period respectively (Carasso, pgs. 57 and 69).
Although Exploring Splunk teaches metrics and values associated with the metrics, Exploring Splunk doesn’t explicitly teach a selection of selectable metrics, however Ginter teaches:
receiving a selection of a metric from a set of selectable metrics (Ginter, [0132] – Metrics can be selected and the different types of information can be displayed.  Paragraphs [0133] and [0136] – The web server may be used in connection with displaying pages to a console in response to a user selection or obtaining settings for different threshold and alarm levels such as may be used in connection with notifications); 

As per claim 2, Carasso as modified teaches:
The computer-implemented method of claim 1, further comprising: 
receiving selection of the first threshold as a configurable threshold to be applied to the second value; and 
causing display of an indicator indicating that the second value of the at least one metric exceeds the configurable threshold (Carasso, pg. 69, paragraphs 5-7 – The rolling window with multiple alerts is interpreted as teaching first and second values with first and second thresholds).

As per claim 3, Carasso as modified teaches:
The computer-implemented method of claim 1, further comprising: 
receiving selection of the second threshold as a configurable threshold to be applied to the change (Carasso, pg. 69 fig. 5-10 shows “trigger if” options which allow the user to specify the threshold.  Also, the rolling window with multiple alerts is interpreted as teaching first and second values with first and second thresholds); and 
causing display of an indicator indicating that the change value exceeds the configurable threshold (Carasso, pg. 55 – Creating Alerts about Potential Problems shows how to track and send alerts when metrics cross thresholds).

As per claim 4, Carasso as modified teaches:
The computer-implemented method of claim 1, further comprising: 
causing display of a drill down view of the machine data underlying at least one of the first value or the second value of the metric upon selection of the metric (Carasso, pg. 9, paragraph 3 – Splunk can drill down into a time period when a problem first occurred.  See also pages 63 and 67 as well as fig. 5-9 for a drill down chart).

As per claim 5, Carasso as modified teaches:
The computer-implemented method of claim 1, wherein the second value is determined based upon a number of events identified as search query results (Carasso, pg. 69, paragraph 7 – The user can track whether a certain number of things happen within a certain time period.  Fig. 5-10 shows scheduling an alert with a configurable window of time).

As per claim 6, Carasso as modified teaches:
The computer-implemented method of claim 1, further comprising: 
receiving selection of a time period for the metric, wherein the identified events of interest fall within the configurable time period (Carasso, pg. 69, paragraph 7 – The user can track whether a certain number of things happen within a certain time period.  Fig. 5-10 shows scheduling an alert with a configurable window of time).

As per claim 7, Carasso as modified teaches:
The computer-implemented method of claim 1, further comprising: 
causing display of a list of searches for events of interest (Carasso, pg. 72, paragraphs 2 and 3 – Saved searches can be displayed in a list and selected by a user to display its parameters), 
wherein each search in the list includes: 
a name of the search (Ginter, [0090] – Host name, user name, certificate name and/or any other information that might serve to identify who or what is connected to the control network via the VPN connection, wherein these are interpreted as possible names of a search [0281] – Metric name), 
a type of the search (Ginter, [0016] – The summary may identify at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack. The summary may identify at least one target associated with an attack, wherein said target is one of: a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack, wherein the type of attack that is searched for is interpreted as the type of search).

As per claim 8, Carasso as modified teaches:
The computer-implemented method of claim 7, further comprising: 
causing display of a drill down view of a machine data underlying the event of interest associated with the search upon selection of the search (Carasso, pg. 9, paragraph 3 – Splunk can drill down into a time period when a problem first occurred.  See also pages 63 and 67 as well as fig. 5-9 for a drill down char).

As per claim 9, Carasso as modified teaches:
The computer-implemented method of claim 7, wherein the list further includes 
a domain within which the event of interest is identified (Ginter, [0014] and [0016] – Security events of interest are reported [0022] – The method may perform pattern matching).

As per claim 10, Carasso as modified teaches:
The computer-implemented method of claim 7, wherein the list further includes 
a status field that includes a first selectable option that enables a search for the event of interest (Carasso, pg. 23, paragraph 11, A search option is displayed in the search dashboard, wherein the search dashboard is interpreted as the status field because it includes a selectable option that enables searches) and 
a second selectable option that disables the search for the event of interest (Carasso, pg. 26, paragraphs 2-4 – Pausing, stopping and cancelling searches can be performed in the system, wherein this is interpreted as disabling searches for events of interest).

As per claim 11, Carasso as modified teaches:
The computer-implemented method of claim 7, wherein the type of search includes any one of 
a scheduled search (Ginter, [0009] – The periodic report may include a summary of a selected set of one or more data sources and associated values for a time interval since a last periodic report was sent to a reporting destination.  Paragraph [0227] – Time intervals may be user specified as well as defined using one or more default values that may vary with an embodiment) and 
a real-time search (Ginter, [0067] – The security event monitoring system provides data in real time).

As per claim 12, Carasso as modified teaches:
The computer-implemented method of claim 7, wherein for each event of interest for which the scheduled search is performed, causing display of a date and time when a next search is scheduled to be performed to identify a presence of an event of interest (Ginter, [0009] – The periodic report may include a summary of a selected set of one or more data sources and associated values for a time interval since a last periodic report was sent to a reporting destination.  Paragraph [0227] – Time intervals may be user specified as well as defined using one or more default values that may vary with an embodiment).

As per claim 13, Carasso as modified teaches:
The computer-implemented method of claim 1, wherein the metric from the plurality of metrics is related to operational performance in the information technology environment (Ginter, [0021], [0022] and [0111] – Events of interest may be obtained by parsing data.  Paragraph [0232] – A determination is made as to whether the input data has any one or more matches in accordance with predefined string values indicating events of interest.  Fig. 14 shows possible selections of metrics such as logins, login failures, resource usage, etc., wherein resource usage is interpreted as operational performance).

As per claim 14, Carasso as modified teaches:
The computer-implemented method of claim 1, wherein the machine data include unstructured or semi-structured data (Ginter, [0146] – Raw data may be gathered and alerts may be generated, wherein gathering raw data is interpreted as gathering machine data and generating alerts from that data is interpreted as separating the data into events.  Paragraph [00236] – Schemas can be formed).

As per claim 15, Carasso as modified teaches:
The computer-implemented method of claim 1, wherein the machine data is log data (Ginter [0158] – The log agent searches the log file for predetermined strings of interest, and may store in memory the string found as well as one or more corresponding metrics such as, for example, the number of occurrences of a string).

Claims 16-18 are directed to an apparatus performing steps recited in claims 1-3 with substantially the same limitations.  Therefore, the rejections made to claims 1-3 are applied to claims 16-18.

Claims 19-20 are directed to a non-transitory computer readable program storage medium performing steps recited in claims 1-2 with substantially the same limitations.  Therefore, the rejections made to claims 1-2 are applied to claims 19-20.

As per claim 22, Carasso as modified teaches:
The computer-implemented method of claim 1, further comprising: 
separating the set of machine data into two or more events by identifying a presence of a feature in the set of machine data, wherein the feature identifies a boundary used to separate the set of machine data into the two or more events, and wherein the two or more events comprise the events of interest (Carasso, pg. 57, paragraph 2 – By entering the kinds of values you seek (such as a client IP address in web logs), Splunk generates a regular expression that extracts similar values (this is especially helpful for the regular expression-challenged among us), wherein this is interpreted as generating a search query based on selection of metrics).

As per claim 23, Carasso as modified teaches:
The computer-implemented method of claim 22, wherein the feature includes a leading punctuation, a word, a white space, or a breaking character (Carasso, pg. 57, paragraph 2 – By entering the kinds of values you seek (such as a client IP address in web logs), Splunk generates a regular expression that extracts similar values (this is especially helpful for the regular expression-challenged among us), wherein this is interpreted as generating a search query based on selection of metrics).

Claims 25 and 26 are directed to an apparatus performing steps recited in claims 22 and 23 with substantially the same limitations.  Therefore, the rejections made to claims 22 and 23 are applied to claims 25 and 26.

Claims 28 and 29 are directed to a non-transitory computer readable program storage medium performing steps recited in claims 22 and 23 with substantially the same limitations.  Therefore, the rejections made to claims 22 and 23 are applied to claims 28 and 29.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Petersen et al. US 20120246303 A1 teaches log collection, structuring, and processing (Title).
Manes et al. US 20130047039 A1 teaches system and method for computer analysis (Title).
Wilson et al. US 20080086345 A1 teaches asset data collection, presentation, and management (Title).
Kass et al. US 20080086363 A1 teaches technology event detection, analysis, and reporting system (Title).
Qamhiyah et al. US 20060041535 A1 teaches a geometric search engine (Title).

Response to Arguments
Applicant’s arguments filed 3/30/2022 have been fully considered but they are not persuasive.  Applicant’s arguments begin on page 10 of Remarks where there is one main argument.  This specific argument is addressed below.

Argument:  Applicant argues in Remarks on page 10 that the reference of Carasso doesn’t adequately teach the limitations for “determining a change value based on the difference between the second value and the first value”, “determining a relationship between the change value and second threshold”, “an indication of the change value”, “and an indication of the relationship between the change value and the second threshold.”
	Examiner thanks Applicant for accurately stating what was discussed in the interview of 2/22/2022, citing the bullet points from Carasso.  
	Applicant argues that the rolling time window of Carasso merely teaches determining an absolute count of events within the specified time window, rather than a change in the number of events from one point in time to another.  Applicant goes on to say that it’s not reasonable to interpret this disclosure to mean a change in the number of events.
In Response:  The reference that was used in the Final Rejection of 12/30/2021 is Carasso, and on pages 4-5, the interpretation of Carasso is explained in detail.  However, in order to make the citation easier to understand, Examiner will give an explanation and examples of a rolling time window.  A rolling time window has a start that is constantly trailing an end time.  The trailing start time is configurable in a rolling time window.  For instance, on Pg. 69 of Carasso, The example given is a “5-minute window”, which means that the start time is trailing the end time by 5 minutes.  Therefore, when Carasso states that an alert is triggered when there are more than 20 404s in a 5 minute window, this means a spike of 404s occurred in the span of 5 minutes.  In other words, if the number of 404s was steadily rising, for example, one 404 every hour, this wouldn’t trigger the alert even if more than 20 404s occurred altogether because they didn’t occur within 5 minutes.  If, however, there was a spike from 40 404s to 65 404s in 3 minutes, this would trigger the alert because 25 404s occurred in only 3 minutes which is more than 20 404s within the 5 minute rolling window.  For further context, pg. 72 (also cited in the rejection) also states that a "rises by" or "falls by" condition can be added which allows one to “set alerts for conditions that are relative (it’s often not the absolute number as much as a doubling or tripling that you want to be alerted about).”  This citation also deals with percentages, which is another calculation, but the same can be done with regular numbers as well (i.e. instead of “rises by 5%”, the user can set the condition as “rises by 20”).  Paragraph(s) [0056] of the specification describe(s) “the difference indicator can represent a change in the number of events matching the selected metric in the last 24 hours or the last few days, etc., and can be configured to whatever relevant time period is required.”  This appears to be describing the same thing as a rolling time window, but with different words.  Based on a reasonable interpretation in view of the specification, the prior art of record teaches the claimed limitation.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Jenkins et al. US 8707194 B1 teaches a system and method for decentralized performance monitoring of host systems (Title).
Kwan et al. US 20150039749 A1 teaches calculating a percentage change over the baseline or use pre-determined thresholds to determine whether a difference between the current measurement and the rolling baseline constitutes an anomaly in paragraph [0056].
Bartosz et al. “Real-time Grid Monitoring Based on Complex Event Processing” teaches real-time access and query capabilities (Abstract)

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthew Ellis whose telephone number is (571)270-3443.  The examiner can normally be reached on Monday-Friday 8AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neveen Abel-Jalil can be reached on (571)270-0474.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

July 1, 2022
/MATTHEW J ELLIS/Primary Examiner, Art Unit 2152