DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Response to Remarks/Arguments
This Office Action is in response to the communications for the present US application number 15/640,187 last filed on April 06th, 2021.
Claims 1, 9 and 17 were amended.
Claims 1-20 remain pending and have been examined, directed to scalable and real-time anomaly detection.

Upon further review of the latest claim amendments along with the applicant’s representative’s response, the examiner reviewed the applied references and respectfully disagrees.
With respect to the 35 U.S.C. § 102 rejection, using Bell, and using amended independent claim 1 for example, the applicant’s representative argued that Bell does not teach and/or suggest of computing for a range of values for the event data, over a period of time that is after an alert.  The rep. argued and interpreted that Bell only taught of how a single event data point deviated from a range of expected values, and therefore concluded that Bell doesn’t teach/suggest of a range of values. 
In response, there are several points that the examiner respectfully disagrees with.  First, the claimed language does not clearly reflect what was argued.  The examiner reviewed the filed Specifications and found instance examples that described a range of failure counts (or values, which appears to be what the rep. is arguing) and also examples that described a range of the failure metric, which is what is currently in the amended claims (see filed Specifications ¶¶ [0029] and [0065]).  Therefore, what’s argued is not clearly reflected in the claim language.
Second, based upon the current claimed language, the concept of a “current range of the failure metric” was already previously interpreted and covered in the subsequent “comparing” step, and therefore the argument that Bell now does not teach or suggest of this range is unreasonable.  Additionally, Bell discloses that event data points can be grouped or split into fractions, as they represent different types of events (¶¶ [0021] and [0027]).  Therefore, each event data point is not just a single event, but can be interpreted as a single or collection of event data points.  Furthermore, Bell discloses of a “current range” as the system can evaluate and visually display over different increments of time intervals, such as 5 minutes or 15 minutes or greater.  In one example, the evaluation window is three hours before and additionally 1 hour after the alert incident.  Therefore, the system is evaluating/computing over this window interval to see how long the incoming events or data points are going to continue exceeding some established alert thresholds, or treat the one or few event data points as anomalies.  Therefore, the current range would be 5 minutes or as long as necessary until the system determines that the incoming event data points are within normal expected values again, below some alert threshold.  If one were to interpret the current range of the failure metric along the y-axis, Bell also discloses that there can be different levels or tiers of the alert thresholds (e.g., ¶ [0026]).  Therefore, both directions and interpretations of a “current range of the failure metric” is covered. 
The other independent claims 9 and 17 were similarly amended and argued following claim 1 and thus were similarly rejected under the same rationale.
The remaining dependent claims were not specifically argued at this time.
Applicant's arguments were considered but they were not found persuasive.  See the following claim rejections for further clarifications with added emphasis on the points previously disclosed.  

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by U.S. Patent Publication No. 2017/0070414 A1 to Bell et al. (“Bell”).

As to claim 1, Bell discloses a computer-implemented method, comprising:
retrieving first event data associated with a real-time stream of events generated by one or more components within a computing system (Bell discloses of an overall system designed to identify and analyze “events” as incoming data streams.  This involves real-time or on demand requests/events.  Bell discloses of allowing a user to request/retrieve such data streams and view them in different manners/views, based upon different users’ established guidelines with respect to different thresholds and clustering of data, e.g., Bell: ¶¶ [0017-18], [0021-24], [0026], [0065-68], [0078-79], and Figures 4 and 5); 
computing a failure metric based on the first event data (Bell discloses that users can establish different levels of thresholds, for a given stream of data/event, and wherein the different threshold levels would be indicative of different degrees of failure, or in other words similar to different levels of “failure metrics.”  For example, when evaluated against the threshold level(s), the event data value can be evaluated as something “normal” or as an “outlier.” Again, this can be applied towards all of the different types of real time or on demand event data stream(s) being monitored/evaluated, e.g., Bell: ¶¶ [0017], [0023-24], [0026], and [0065-66]); 
determining that the failure metric exceeds a dynamically adjustable trigger condition (Bell discloses that the system can identify and determine when a particular event data stream has events occurring that exceeds any dynamically established threshold levels that would be indicative of alerts or outliers data that may warrant an alert, and if so, issue out an alert notification, (e.g., Bell: ¶¶ [0026-27], [0069-74], [0076-79], and Figures 4 and 5).  Furthermore, since the “trigger condition” itself is a value or threshold level that can dynamically change based upon an incoming or real time data stream; this is similar to how Bell discloses that the alert threshold value can change over time as additional event data is received (e.g., Bell: ¶¶ [0026] and [0077]).  In other words, this threshold value/level is dynamically adjusting to the incoming real time data stream to determine whether an alert is needed to be triggered.  The actual event data would be something that is evaluated against the threshold level to see if it warrants an alert or be considered a singular outlier event); 
generating an alert associated with the failure metric indicating that the computing system is in an alert condition (Following the above step(s) and interpretation(s), the system can establish/generate an alert, and evaluate the incoming stream or interval of events, which means multiple data points, evaluated over a period of time, such as 5 minutes to 15 minute increments or more, as to whether each event data point(s) has exceeded the established alert threshold level(s) and rule out any possible outlier anomalies, e.g., Bell: ¶¶ [0064-67], [0069-74], [0076], [0078-79], and Figures 4 and 5);
computing a current range of the failure metric based on a duration of time that occurs after the alert (Following the above step(s) and interpretation(s), and as previously established, after an event or a group of event data has exceeded some established alert threshold, Bell’s system can then evaluate and determine whether it is a single occurrence or whether there are expected to be more incoming received event data point(s).  Bell discloses of evaluating over a period of time, such as 5 minutes to 15 minute increments or more.  Therefore, the “current range” can be broadly interpreted as increasing increments of 5 minutes to start as the system continues to monitor and evaluate incoming event data points to see if more would be exceeding an established threshold level after the first detected event data.  In addition to the 5 to 15+ minute increments, Bell also discloses of evaluating before and after the event incident in question, so again, the “current range” would be interpreted to encompass that entire length of time (e.g., ¶¶ [0026-27] and [0029-30]).  If one of ordinary skill were thinking along the y-axis instead of the x-axis (time), Bell also discloses of using several different tiers of alert thresholds as well (e.g., ¶ [0026]).  Therefore, both directions and interpretations of a “current range of the failure metric” is covered);
comparing the current range of the failure metric to a range of the failure metric occurring prior to the alert to determine that the computing system is no longer in the alert condition (Following the above step(s) and interpretation(s), the system would be evaluating the incoming event data points and comparing it against the current threshold level(s) and also comparing/evaluating against historical or previously received events data, to see if the current data is in alert range or not or whether an alert is still warranted.  Bell discloses in an example that the system can evaluate over a large window with 3 hours before and 1 hour after the incident.  Additionally, visual tools which allow the events to be plotted out can also be useful in easily distinguishing when the incoming stream of events or plot points are all elevated to one or more alert levels, when compared against historical or previously received event data points, e.g., Bell: ¶¶ [0026], [0030], [0066], [0071-74], and [0076]); and
discontinuing the alert based on the computing system no longer being in the alert condition (as the evaluated event stream drops to below the alert threshold levels, then the alert would be discontinued, all of which can be easily monitored and/or adjusted by an operator as well, through the visualization tool, e.g., Bell: ¶¶ [0026], [0030], [0066-68], [0071], and [0077-79]).

As to claim 2, Bell further discloses the computer-implemented method of claim 1, further comprising, in response to determining that the failure metric exceeds the dynamically adjustable trigger condition, incrementing the dynamically adjustable trigger condition (Following claim 1, Bell discloses of a process wherein the sensitivity of detecting events can be adjusted for different types of data being monitored, such that it affects the threshold levels of when an alert and notification would be triggered, e.g., Bell: ¶¶ [0023-24], [0026], [0063], and [0074]).

As to claim 3, Bell further discloses the computer-implemented method of claim 1, further comprising:
retrieving second event data associated with the stream of events generated by the one or more components within the computing system (Following claim 1, Bell’s system can track multiple different event data streams and/or set up clusters of data streams, e.g., Bell: ¶¶ [0018], [0020-21], [0023-24], [0067-68] and Figure 4); 
computing a second failure metric associated with the second event data (Similar to claim 1 with a first data stream, any data stream would have its own established threshold levels to detect for possible alerts and/or outliers,  e.g., Bell: ¶¶ [0023-24], [0026], and [0065-66]); 
determining that the second failure metric is less than the dynamically adjustable trigger condition (Similar to claim 1, Bell discloses that different event data streams can have different threshold levels established and thus a “second” data stream can potentially never cause an alert if it is always below the established threshold level(s), e.g., Bell: ¶¶ [0023-24], [0026], [0063], and [0074]); and
in response to determining that the second failure metric is less than the dynamically adjustable trigger condition, decrementing the dynamically adjustable trigger condition (Following the above step(s) and interpretation(s), Bell discloses that the sensitivity to the data stream being monitored, can be increased or decreased, such as for example changing/decreasing the sensitivity (or in other words changing the threshold level(s)) for tracking sporting event(s), as a means of reducing false positives, e.g., Bell: ¶¶ [0023-24], [0026], and [0074]).

As to claim 4, Bell further discloses the computer-implemented method of claim 1, wherein the dynamically adjustable trigger condition is associated with a median failure metric related to the first event data (e.g., Bell: ¶¶ [0032], and [0050]).

As to claim 5, Bell further discloses the computer-implemented method of claim 1, wherein the failure metric measures a number of failures represented by the first event data and associated with a first service operating within the computing system (Following claim 1’s interpretations, the system can track any number of data streams and detect “failures” as events occur and trigger any established threshold levels, and thus the number of events or “failures” can be measured, e.g., Bell: ¶¶ [0066], [0069-74], [0076], and [0078-79] and Figures 4 and 5).

As to claim 6, Bell further discloses the computer-implemented method of claim 5, further comprising generating an alert message associated with the alert, wherein the alert message identifies the first service (Following claims 1 and 5, the system can generate an alert notification for any detected events/”failures” and/or any unresolved outliers, e.g., Bell: ¶¶ [0026], [0066], [0069-74], [0076], and [0078-79] and Figures 4 and 5).

As to claim 7, Bell further discloses the computer-implemented method of claim 1, further comprising grouping the events based on which components in the computing system generated the events (events can be clustered, e.g., Bell: ¶¶ [0067-68], [0075-76] and Figure 4).

As to claim 8, Bell further discloses the computer-implemented method of claim 1, wherein the failure metric measures a number of failures represented by the first event data and associated with a group of components within the computing system (the number of events/”failures” that exceed a threshold and/or unresolved outliers can all trigger an alert and notification and those can be tallied up, e.g., Bell: ¶¶ [0026], [0066], [0069-74], [0076], and [0078-79] and Figures 4 and 5).

As to claims 9-15, see the similar corresponding rejections of claims 1-7 respectively and wherein the term/phrase “dynamically adjustable threshold value” is interpreted to be the same as the “dynamically adjustable trigger condition.”

As to claim 16, Bell further discloses the one or more non-transitory computer-readable storage media of claim 9, further comprising:
calculating a first value range associated with second event data associated with a second stream of events generated by the one or more components within the computing system prior to the first event data (Examiner’s Note: it is unclear if the “first value range” and “second value range” are to be interpreted as a plurality of values defining a range or a single “range value” that represents a range.  Ultimately, they are both placeholder terms as they are compared to each other in this vacuum and system seemingly can resolve itself without further acting upon these value(s) or range(s).  (Refer to the filed specifications ¶ [0029] that would suggest the proper description and/or terminology to use is a range of failure counts (or a range of multiple values) over time).
With that in mind, and following the same interpretations from claims 1 and 9 and similar to claims 3 and 11, Bell’s system is capable of multiple event data streams over a period of time and therefore discloses of a second and a third data stream separate from the first data stream established in claims 1 and/or 9.  Bell also discloses of monitoring data streams for events or alerts in time series manner, and over an interval period of time before and after a section or interval of focus, which can be further applied or replicated for multiple or clusters of related data streams, e.g., Bell: ¶¶ [0016], [0018], [0023-24], [0030], and [0067-68] and Figures 4 and 5); 
calculating a second value range associated with third event data associated with a third stream of events generated by the one or more components within the computing system subsequent to the first event data (Following the above interpretation(s), a third stream of data can have associate events or plot points associated with another incident point (or “third event data”) in a third data stream, and that can occur at some point in time after an alert occurred (i.e., first event data) within the first data stream (established from claims 1 and/or 9).  Bell discloses of this type of scenario as data streams can be related and clustered together such that occurrences in one stream can affect one or more occurrences in other data streams.  It is also possible for users to manually poll and/or calculate a range of plot points in a (related or third) data stream as well, as well as disclosing about taking measures before and after an interval of focus (e.g., Bell: ¶¶ [0016], [0030], and [0067-68]); 
determining that the second value range is equivalent to the first value range (Bell discloses of an embodiment describing how different related streams of data can be clustered together as well as being able to evaluate the before and after periods/interval of time surrounding a point of focus.  Lastly, Bell discloses that the system can wait and evaluate to see if a detected issue will momentarily pass and self-resolve itself, e.g., Bell: ¶¶ [0030], [0067-68] and [0071-72]); and
determining that the computing system has recovered from the alert (Bell discloses of embodiments wherein the system can wait and see whether a momentary problem can resolve itself, e.g., Bell: ¶¶ [0071-72]).

As to claims 17-20, see the similar corresponding rejections of claims 1-4 respectively and again the term/phrase “dynamically adjustable threshold value” is interpreted to be the same as the “dynamically adjustable trigger condition.”





Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
9,323,599 B1 to Iyer et al

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Xiang Yu whose telephone number is (571)270-5695. The examiner can normally be reached M-R 9:30-3:00 (PST/PDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel Moise can be reached on (571)272-3865. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/X.Y/Examiner, Art Unit 2455 

/EMMANUEL L MOISE/Supervisory Patent Examiner, Art Unit 2455