DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claim 18 is objected to because of the following informalities: 
Claim 18 recites, at least in part: 
“…an interface for receiving a new original event object from one or more active IT-monitoring systems, each of the active IT-monitoring systems…”
The phrase “each of the active IT-monitoring systems” appears to be a broken phrase and is an incomplete sentence. The examiner suggests deleting this phrase. 
Appropriate correction is required.

Drawings
The drawings are objected to under 37 CFR 1.83(a).  The drawings must show every feature of the invention specified in the claims.  Therefore, the missing features must be shown or the feature(s) canceled from the claim(s). 
The drawings fail to show at least the following features: 
1. Claim 5’s rule’s engine. Specifically, the drawings do NOT show the difference, if any, between the claim 5’s “rule engine” and claim 1’s “machine learning program”. While Figure 5 element 502 shows “rule export”, Figure 5 nor any of the other figures show the claimed “rules engine”. 
2. Claim 10 and Claim 11’s “priority level” and the event handling system automatically prioritizing based on the priority level. 
3. All of claim 14’s features. None of the figures show or describe, for example, an assigned “event-resolution workflow definition”. 
No new matter should be entered.
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Interpretation
The examiner notes the language of at least Claim 9. Claim 9 recites, at least in part: 
…applying one or more natural language processing functions on the new original event object for extracting one or more data values contained in the new original event object 
applying a parser on the new original event object for extracting one or more data values contained in the new original event object; 
From the above, it appears that both of these limitations encompass the same functionality, but appearing to take different forms (e.g. “natural language processing” vs. “a parser”). 
While appearing to be definite (however, see the rejection under 112(b) below for “data values”), the examiner has, under BRI in light of the specification, interpreted “applying one or more natural language processing functions” as encompassing the same functionality and subject matter as “applying a parser” and vice versa. 

Claim Interpretation-112(f)
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: 
Claim 17’s recitation of “a machine-learning framework configured to apply a learning algorithm…”
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

	Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 18-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  
Claim 18 recites “a computer system comprising: a trained machine learning program configured to…an interface for…an interface to…and a transformation coordination program adapted to…” 
MPEP 2106.03 (I) recites, at least in part: “Products that do not have a physical or tangible form, such as information (often referred to as "data per se") or a computer program per se (often referred to as "software per se") when claimed as a product without any structural recitations…” 
Under the Broadest Reasonable Interpretation of Claim 18 in light of the specification, the terms “program” and “interface” are NOT limited to structural limitations (e.g. processors, hardware implementations, etc.) and thus, Claim 18 merely recites software and thus recites “software per se”. 
The examiner notes that claim 19 is rejected under 101 due, at least in part, to its dependency to claim 18. 

	
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 17, 18, and 20 recite, at least in part (Claim 1 used as representative): 
“providing a database comprising a plurality of original event objects…with a canonical event object…
Executing a learning algorithm…adapted to transform an original event object…into a canonical event object…
Using the trained machine learning program for automatically transforming original event objects…into canonical event objects…”
As can be seen, the first limitation sets forth a plurality of original event objects and a canonical event object. However, in the “executing” limitation claim 1 recites “an original event object” and “a canonical event object”. 
It is unclear if, in the “executing” limitation, “an original event object” refers to at least one of the plurality of original event objects as set forth in the first limitation or are referring to separate and distinct original event object(s). Similarly, it is unclear if the “executing” limitation’s “a canonical event object” refers to the canonical event object as set forth by the first limitation. 
This issue is again present in the “using the trained machine learning program” limitation and should be additionally appropriately corrected. 
Moreover, at least claims 5 (e.g. “a new canonical event object”, “a new original event object”), 14, and 15 recite the same issue. 
To clarify, it appears that at least the above claims (1, 5, 14, 15, 17, 18, and 20) appear to recite multiple antecedent basis issues with the claim terms “original event object” and “canonical event object”. The examiner respectfully requests the applicant go through each and every claim to make sure the wording is consistent and proper antecedent basis is appropriately corrected. 
Claim 9 recites, at least in part: 
…applying one or more natural language processing functions on the new original event object for extracting one or more data values contained in the new original event object 
applying a parser on the new original event object for extracting one or more data values contained in the new original event object; 
each of at least the above limitations of claim 9 recite “extracting one or more data values contained in the new original event object”. However, it is unclear what the difference is, if any, between the two recitations and thus the claim is indefinite. 
	For purposes of examination, each recitation of “for extracting one or more data values contained in the new original event object” will be interpreted as encompassing the similar subject matter. 
	Claim 14 recites, at least in part: 
“…and wherein the using of the trained machine learning program for automatically transforming original event objects into canonical event object preferably further comprising automatically transforming any received new original event object into a new canonical event object having canonical data format…” 
	The examiner draws attention to the word “preferably”. This term is indefinite as it is unclear what the applicant intends by using such language. That is, it is a requirement that the functional steps be performed or not? 
	Because the metes and bounds of the claim language cannot be established, the claim is indefinite, and a rejection under 112(b) is appropriate. 
	For purposes of examination and compact prosecution, the functional language following “preferably” will be interpreted as a positive recitation. But, it should be understood that as currently presented, the functional language after “preferably”, under BRI in light of the specification, is NOT a requirement. 
Claim 17’s limitation “a machine-learning framework configured to apply a learning algorithm…” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. 
MPEP 2181 sets forth what is meant by “corresponding structure”, etc. 
MPEP 2181 (II) (B) states that 
“In cases involving a special purpose computer-implemented means-plus-function limitation, the Federal Circuit has consistently required that the structure be more than simply a general purpose computer or microprocessor and that the specification must disclose an algorithm for performing the claimed function.” 
	At best the specification describes the framework as a being part of software and/or being a computer system. Specifically [074] recites: 
	“The computer system comprising the framework for training the ML program can also be refereed to as ‘training computer system’. The training computer system can be a monolithic computer system, e.g. a standard computer system, or a distributed computer system…” 
	As can be seen, the specification does NOT provide sufficient structure as required for proper invocation of 35 U.S.C. 112(f). 
	Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 19 rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends. 
Claim 19 depends on claim 18 and recites: 
“The computer system of claim 18, further comprising the event handling system…” 
Claim 18 recites, at least in part: 
“…the canonical data form being processable by a local or remote event handling system…an interface to the local or remote event handling system…providing the new canonical event object to the event handling system…” 
The language of Claim 19 fails both reasons under 112(d); that is: 
1. It fails to further limit: from Claim 18 it is clear that data is sent to a local or remote event handling system. Necessarily then, it would appear that at some point the computing system of claim 18 comprises the event handling system. Thus, claim 19 does not further limit this. 
2. Additionally, and/or in the alternative, Claim 19 reciting that the computer system of claim 18 comprises the event handling system fails to include all of the limitations of Claim 18. For example, considering claim 18’s recitation of “…OR remote handling system”, this would appear to mean that claim 18 does NOT comprise the event handling system. Under this example, Claim 19 reciting otherwise fails to incorporate all of the limitations of claim 18. 
For at least one of the reasons above, Claim 19 is rejected under 112(d). 
Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


For clarity of record and ease of reading, the examiner notes the following: 
Any text that is bolded is a limitation of a claim. 
The “teaching” or reference citation, along with any necessary examiner notes are contained within the parentheses “()” following the bolded claim language. 
Any text that is underlined is emphasized language from reference(s) used and/or particular important examiner notes. While NOT fully reflective of the rejection as a whole, these underlined passages are indicative or otherwise reflective of key evidence.   

Claim(s) 1-4, 7-8, 10, 12-15, and 17-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Li, Tao et. al. (“Data-Driven Techniques in Computing System Management”, NPL 2017, hereinafter “Li”).
With respect to Claim 1, Li teaches A computer-implemented method for processing events, the method comprising: providing a database comprising a plurality of original event objects respectively being stored in association with a canonical event object (Li Pg. 45:3 “Section 2 investigates the methods that can transform the log data in disparate formats and contents into a canonical form, which creates consistency and enables the correlation discover across multiple logs [e.g. the claimed “a plurality of original event objects].” 
Pg. 45:5 Section 2.1 “Converting log messages [e.g. the claimed “original event objects] to events [e.g. the claimed “canonical event object] provides the capability of canonically describing the semantics of log data and improves the ability of correlating the logic from multiple components…”
Pg. 45:2 “Log Data Organization: The log data are generated and collected by different system components, possibly with instrumented applications. Log Parser/Adaptor [Emphasis in original] and Event Generation [emphasis in original] enable generic data collection, integration, and transformation from multiple heterogenous data sources into the historical data collection [e.g. the claimed “providing a database”]…”
To clarify further, the examiner notes that Li’s “log data” (e.g. the raw collected data) being transformed such that some grouping of the data is recognized or otherwise generated as an “event” teaches “a plurality of original event objects respectively being stored in association with a canonical event object.”).
wherein the original event objects being generated by one or more IT-monitoring systems (Li Pg. 45:2 “Log Data Organization: The log data are generated and collected by different system components, possibly with instrumented applications. Log Parser/Adaptor [Emphasis in original] and Event Generation [emphasis in original] enable generic data collection, integration, and transformation from multiple heterogenous data sources into the historical data collection.”
Li Pg. 45:4 Section 2 “The data in the log/trace files indicate the status of each component and are usually collected or reported when some event occurs. Contents of the data may include the running states of the component (e.g. started, interrupted, connected, and stopped), its CPU utilization, and its parameter values. 
Li Pg. 45:9 Section 3.1 “A typical example for temporal data in system management is illustrated in Figure 4. System monitoring, one important component in system management, tracks the states of a system by collecting system information…” 
The examiner notes that monitoring a system by collecting system information (e.g. logs) teaches “wherein the original event objects being generated by one or more IT-monitoring systems”.).

wherein each of the original event object having an original data format being particular for the type of IT monitoring system having generated the original event object (Li Pg. 45:5 Section 2.1 “Each message in the example describing a certain event. To understand and analyze the behaviors of FTP visits, these messages are often converted into types of events and organized as timelines…Converting log messages to events provides the capability of canonically describing the semantics of log data and improves the ability of correlating the logs from multiple components. Due to the heterogenous nature of current systems, the log generating mechanisms result in disparate formats and contents focused on individual components. Each component may generate the data using its own format and content…”  
The examiner notes that collecting logs from disparate sources each of which have disparate formats teaches “wherein each of the original event object having an original data format being particular for the type of IT monitoring system having generated the original event object”.). 
wherein each original event object comprising one or more data values characterizing an event (Li Pg. 45:5 Section 2.1 “Each message in the example describing a certain event. To understand and analyze the behaviors of FTP visits, these messages are often converted into types of events and organized as timelines…Converting log messages to events provides the capability of canonically describing the semantics of log data and improves the ability of correlating the logs from multiple components. Due to the heterogenous nature of current systems, the log generating mechanisms result in disparate formats and contents focused on individual components. Each component may generate the data using its own format and content…”)
wherein the canonical event objects having a shared canonical data format (Li Pg. 45:3 “Section 2 investigates the methods that can transform the log data in disparate formats and contents into a canonical form, which creates consistency and enables the correlation discover across multiple logs…” 
The examiner notes that transforming log data into a canonical form which creates consistency teaches “wherein the canonical event objects having a shared canonical data format”. To clarify, when Li generates or otherwise creates events from the disparate log data, each of those events, while potentially starting in a different data format, now, after transformation, have a common data format (e.g. whatever data format the event is).).
wherein each canonical event object comprising a class-ID being indicative of the one out of a plurality of event classes to which its associated original event object has been assigned for handling the event represented by the original event object (Li 45:5 Section 2.1 “Each message in the example describing a certain event. To understand and analyze the behaviors of FTP visits, these messages are often converted into types of events and organized as timelines…By organizing the messages into a set of common semantic events (also termed “situations” or “categories”), that is, adding a semantic situation type to a message…, the transformed representation creates consistency, enables the correlation discovery across multiple logs, and also provides the initial connections of syntax to semantics…”
Li Pg. 45:7 section 2.4 Log Message Classification “A straightforward approach to identifying the event types of log messages is the classification method, which categorizes a log message into several pre-defined event types. A simple classification method is to define a regular expression pattern for an event type. Then, when a log message is collected, if it matches the given regular expression, it will then be categorized to the corresponding event type.” 
The examiner notes that classifying or otherwise finding categories in which the log messages (e.g. original event object(s)) belong teaches “wherein each canonical event object comprising a class-ID being indicative of the one out of a plurality of event classes to which its associated original event object has been assigned for handling the event represented by the original event object”.)
the canonical event object comprising one or more attribute values derived from the data values of the associated original event object (Li Bottom of Pg. 45:6 into 45:7 “Implementing a log parser is a straightforward solution to converting textual logs [e.g. original event object(s)] into structural events [e.g. canonical event object(s)]…The log generation code usually has some fixed patterns...the source code can be viewed as the schema of the logs, and the structure of the generated logs can be inferred from the schema. Then, the log parser makes use of the schema to determine the event type of each log message. It also can extract the variable values as the attributes of the event.” 
Li Pg. 45:4 “The data in the log/trace files indicate the status of each component and are usually collected or reported when some event occurs. Contents of the data may include the running states of the component..., its CPU utilization, and its parameter values...” 
The examiner notes that an event (e.g. canonical event object) which contains extracted variable values from the log message (e.g. original event object) as attributes of the event teaches “the canonical event object comprising one or more attribute values derived from the data values of the associated original event object”.)
executing a learning algorithm on the associated original and canonical event objects for generating a trained machine learning program adapted to transform an original event object of any one of the one or more original data formats into a canonical event object having the canonical data format (Li Pg. 45:7 “Another approach for log message classification is the learning-based method. Users can provide some labeled log messages, where the event type of each log message is assigned. Then, the learning algorithm builds [e.g. generates] a classification model using the labeled data to classify incoming log messages…”
The examiner notes, and to further clarify, Li’s learning-based method is trained on log messages (e.g. original event objects) that have been labeled (e.g. transformed into canonical event objects). Then, based on this training set, a classification model is generated to label incoming log messages (e.g. original event object) into an event which has an event type (e.g. canonical event object). This learning of event types which is then applied to incoming log messages teaches “executing a learning algorithm on the associated original and canonical event objects for generating a trained machine learning program adapted to transform an original event object of any one of the one or more original data formats into a canonical event object having the canonical data format”.).
and using the trained machine learning program for automatically transforming original event objects generated by an active IT-monitoring system into canonical event objects… (Li Pg. 45:7 “Another approach for log message classification is the learning-based method. Users can provide some labeled log messages, where the event type of each log message is assigned. Then, the learning algorithm builds [e.g. generates] a classification model using the labeled data to classify incoming log messages…” 
The examiner notes that using the generated classification model (e.g. trained model) to classify incoming log messages (e.g. original event object(s)) into an event with an event type (e.g. canonical event object(s)) teaches “…and using the trained machine learning program for automatically transforming original event objects generated by an active IT-monitoring system into canonical event objects”.).
 …respectively being processable by an event handling system (Li Pg. 45:34 Section 6.1 “The typical workflow for the IT service provider prescribed by the ITIL specification…involving problem detection, determination, and resolution is shown in Figure 16…In terms of problem detection, the monitoring system runes on the servers, which computes metrics for the performances of hardware and software at regular intervals. The system then compares those metrics with acceptable thresholds called monitoring situations [emphasis in original], and any violation would result in an alert. An event will be emitted by the monitoring if the alert persists beyond a predefined delay. Events coming from an IT environment [e.g. those events as labeled/classified/otherwise automatically transformed] are consolidated in an enterprise console, which analyzes the monitoring events as well as creates incident tickets in a ticketing system…” 
The examiner notes that, as shown above, the events are generated by at least a trained classification model. And, as seen, incident tickets are created. The examiner notes that the incoming automatically transformed events being assigned (e.g. creating) an incident ticket in a ticketing system teaches “…respectively being processable by an event handling system”.”). 
With respect to Claim 2, Li teaches wherein the using of the trained machine learning program comprising: receiving a new original event object from one of the IT-monitoring systems (Li Pg. 45:7 “Another approach for log message classification is the learning-based method. Users can provide some labeled log messages, where the event type of each log message is assigned. Then, the learning algorithm builds [e.g. generates] a classification model using the labeled data to classify incoming log messages…” The examiner notes that “incoming log messages” teaches “receiving a new original event object from one of the IT-monitoring systems”)
using the trained machine learning program for automatically transforming the new original event object into a new canonical event object having canonical data format (Li Pg. 45:7 “Another approach for log message classification is the learning-based method. Users can provide some labeled log messages, where the event type of each log message is assigned. Then, the learning algorithm builds [e.g. generates] a classification model using the labeled data to classify incoming log messages…” 
The examiner notes a classification model which is trained on labeled log messages where an event type is assigned and this trained classification model is then used to classify incoming log messages teaches “using the trained machine learning program for automatically transforming the new original event object into a new canonical event object having canonical data format”).
and providing the new canonical event object to the event handling system for automatically handling the new event represented by the new canonical event object as a function of the attribute values contained in the new canonical event object (Li Pg. 45:34 Section 6.1 “The typical workflow for the IT service provider prescribed by the ITIL specification…involving problem detection, determination, and resolution is shown in Figure 16…In terms of problem detection, the monitoring system runes on the servers, which computes metrics for the performances of hardware and software at regular intervals. The system then compares those metrics with acceptable thresholds called monitoring situations [emphasis in original], and any violation would result in an alert. An event will be emitted by the monitoring if the alert persists beyond a predefined delay. Events coming from an IT environment [e.g. those events as labeled/classified/otherwise automatically transformed] are consolidated in an enterprise console, which analyzes the monitoring events as well as creates incident tickets in a ticketing system…”
The examiner notes that creating incident tickets in a ticketing system based on the events coming from an IT environment where those events are made up of, or otherwise described by, its components teaches “…and providing the new canonical event object to the event handling system for automatically handling the new event represented by the new canonical event object as a function of the attribute values contained in the new canonical event object.”).   

With respect to Claim 3, Li teaches wherein the canonical data format being interpretable by the event handling system, wherein at least some of the original data formats not being interpretable by the event handling system (Li Pg. 45:3 “Section 2 investigates the methods that can transform the log data in disparate formats and contents into a canonical form, which creates consistency and enables the correlation discover across multiple logs…”
Li Pg. 45:34 Section 6.1 “The typical workflow for the IT service provider prescribed by the ITIL specification…involving problem detection, determination, and resolution is shown in Figure 16…In terms of problem detection, the monitoring system runes on the servers, which computes metrics for the performances of hardware and software at regular intervals. The system then compares those metrics with acceptable thresholds called monitoring situations [emphasis in original], and any violation would result in an alert. An event will be emitted by the monitoring if the alert persists beyond a predefined delay. Events coming from an IT environment [e.g. those events as labeled/classified/otherwise automatically transformed] are consolidated in an enterprise console, which analyzes the monitoring events as well as creates incident tickets in a ticketing system…”
The examiner notes that transforming multiple different formats (e.g. disparate formats) into a canonical form which creates consistency (e.g. one format for the transformed events) and this canonical form of events is used as the input to the ticketing system teaches “wherein the canonical data format being interpretable by the event handling system, wherein at least some of the original data formats not being interpretable by the event handling system”.
To further clarify, if the ticketing system (e.g. event handling system) gets events in the canonical form, the multiple disparate formats in which the original logs were transformed from would, as the claim language require, not be interpretable by the event handling system. Hence, the reason for the transformation into a canonical form.). 

With respect to Claim 4, Li teaches wherein the using of the trained machine learning program for automatically transforming the new original event object into a new canonical event object comprising performing the transformation directly by the trained machine-learning program (Li Pg. 45:7 “Another approach for log message classification is the learning-based method. Users can provide some labeled log messages, where the event type of each log message is assigned. Then, the learning algorithm builds [e.g. generates] a classification model using the labeled data to classify incoming log messages…”
The examiner notes that classifying or otherwise labeling “incoming log messages” using the trained classifier teaches “wherein the using of the trained machine learning program for automatically transforming the new original event object into a new canonical event object comprising performing the transformation directly by the trained machine-learning program”.).

With respect to Claim 7, Li teaches wherein the class ID and the attribute values of at least some of the canonical event objects in the database have been specified by a human user manually (Li Pg. 45:7 “Another approach for log message classification is the learning-based method. Users can provide some labeled log messages, where the event type of each log message is assigned. Then, the learning algorithm builds [e.g. generates] a classification model using the labeled data to classify incoming log messages…”
The examiner notes that users providing labeled log messages wherein the event type (e.g. Class ID) of each log messages is assigned teaches “wherein the class ID and the attribute values of at least some of the canonical event objects in the database have been specified by a human user manually”. Additionally, because events are described by their attributes extracted (e.g. by a classifier, log parser, etc.) and the user uses those values to assign the event type, this cited portion additionally teaches “…and the attribute values…”). 
With respect to Claim 8, Li teaches wherein the class ID and the attribute values of at least some of the canonical event objects in the database have been created automatically by the event handler (Li Pg. 45:7 “Another approach for log message classification is the learning-based method. Users can provide some labeled log messages, where the event type of each log message is assigned. Then, the learning algorithm builds [e.g. generates] a classification model using the labeled data to classify incoming log messages…”
The examiner notes that the classifier automatically labelling and formatting incoming messages teaches “wherein the class ID and the attribute values of at least some of the canonical event objects in the database have been created automatically by the event handler”.)

With respect to Claim 10, Li teaches wherein the transformation of the received original event object into the new canonical event object comprises: automatically computing a priority level as a function of the data values of the new original event object and storing the priority level as an attribute value in the new canonical event object (Li Pg. 34 “In terms of problem detection, the monitoring system runs on the servers, which computes metrics for the performances of hardware and software at regular intervals. The system then compares those metrics with acceptable thresholds called monitoring situations, and any violation would result in an alert. An event will be emitted by the monitoring if the alert persists beyond a predefined delay. Events coming from an IT environment are consolidated in an enterprise console, which analyses the monitoring events as well as creates incident tickets in a ticketing system…” Li Pg. 35 Section 6.2 “The incident records…could store incident details like…severity code…” 
Additionally, and/or in the alternative, Li Pg. 36 Section 6.2.3 “This automated method utilizes the incident tickets and server attributes…First, it identifies and ranks servers with problematic behaviors…Second, it uses the random forest classifier to evaluate the impact of multiple modernization actions and discover the most effective ones. Formally, let S represent the p-dimensional space where the p features are extracted from incident ticket data (such as tickets volumes and ticket severities) …”
The examiner notes that an emitted event (e.g. new canonical event object) that contains a computed severity code based on the computed metrics from the monitoring system teaches “wherein the transformation of the received original event object into the new canonical event object comprises: automatically computing a priority level as a function of the data values of the new original event object and storing the priority level as an attribute value in the new canonical event object”.)


With respect to Claim 12, Li teaches wherein the data values of the original event objects being selected from a group comprising: an identifier of a data processing system having triggered the generation of the original event; an operating system of a computer system having triggered the generation of the original event object; a time and date of the moment when the generation of the original event was triggered; a geographic location comprising the object having triggered the generation of the original event object; a numerical value or value range being indicative of the severity, size or priority of a technical problem; one or more strings describing the event and or the data processing system or system component having triggered the generation of the original event; a mount point, wherein the mount point is the location in a file system that a newly-mounted medium was registered during a mounting process of the medium, wherein the mounting process is a process by which the operating system makes files and directories on a storage device accessible via the computer's file system; and an internal device ID, wherein the internal device ID determined based on a device having triggered the generation of the original event (Li Bottom of Pg. 45:6 into 45:7 “Implementing a log parser is a straightforward solution to converting textual logs [e.g. original event object(s)] into structural events [e.g. canonical event object(s)]…The log generation code usually has some fixed patterns...the source code can be viewed as the schema of the logs, and the structure of the generated logs can be inferred from the schema. Then, the log parser makes use of the schema to determine the event type of each log message. It also can extract the variable values as the attributes of the event.” 
Li Pg. 45:4 “The data in the log/trace files indicate the status of each component and are usually collected or reported when some event occurs. Contents of the data may include the running states of the component..., its CPU utilization, and its parameter values...”
Additionally, and/or in the alternative Li Pg. 35 Section 6.2 “Because problems and incidents can occur at different levels of the hardware and software stack, one major activity to facilitate system diagnosis is to create leading indicators (a.k.a, signature or failure codes), which are used to incidents classification…Typical example incident categories include disk usage threshold exceeded, system down, application not available, printer not printing, and password reset. The incident categories are usually obtained by analyzing the incident records. The incident records, a.k.a., incident tickets, could store incident details like client name, platform, failure description, severity code, resolution methods, and different timestamps.”
Li Pg. 5 Figure 2 Note that each message has an associated timestamp (e.g. 2010-05-02 00:21:39). 
The examiner notes that any and all of the components and parameter values collected by Li (e.g. Pg. 45:4), any or all of the timestamps shown in Figure 2, and any or all of the incident record details (e.g. platform, failure description, severity code) teach at least the claim language.). 

With respect to Claim 13, Li teaches wherein the event class of the new canonical event object being selected from a group comprising: a storage full event; a network connection failure event; a task queue full event; a server unavailable event; a mounting event; and a timeout event of a request or command sent to a device (Li Pg. 35 Section 6.2 “Because problems and incidents can occur at different levels of the hardware and software stack, one major activity to facilitate system diagnosis is to create leading indicators (a.k.a, signature or failure codes), which are used to incidents classification…Typical example incident categories include disk usage threshold exceeded, system down, application not available, printer not printing, and password reset. The incident categories are usually obtained by analyzing the incident records. The incident records, a.k.a., incident tickets, could store incident details like client name, platform, failure description, severity code, resolution methods, and different timestamps.”)
With respect to Claim 14, Li teaches wherein one or more of the canonical event objects in the database having assigned an event-resolution workflow definition (Li Pg. 36 Section 6.2.2 “Ticket Resolution Recommendation” “Automatic techniques of recommending relevant historical tickets with resolutions can significantly improve the efficient of root cause analysis and incident ticket resolving. Based on the relevant tickets, IT staff can correlate related system problems that happened before and perform a deeper system diagnosis. The solutions described in relevant historical tickets also provide best practices for solving similar issues…The first type is learning-based recommendation, in which the algorithm aims to maximize the rate of user response, such as the user clicks or conversations. The recommendation problem is then naturally formulated as a prediction problem. It utilizes a prediction algorithm to compute the probability of the user response on each item. Then, it recommends the one having the largest probability…Zhou et al. [2016] proposed item-based recommendation algorithms (where every incident ticket is regarded an item) to assist system administrators in resolving the incoming incident tickets that are generated by monitoring systems…” 
The examiner notes that using historical resolutions (e.g. “…having assigned an event-resolution workflow definition...”) to similar tickets and recommending that resolution to a user teaches “wherein one or more of the canonical event objects in the database having assigned an event-resolution workflow definition”).
wherein the learning algorithm being executed on the associated original and canonical event objects and the assigned event-resolution workflow definitions, the trained machine learning program being adapted to transform an original event object of any one of the one or more original data formats into a canonical event object having the canonical data format and having assigned a predicted event-resolution workflow definition (Li Pg. 36 Section 6.2.2 “Ticket Resolution Recommendation” “Automatic techniques of recommending relevant historical tickets with resolutions can significantly improve the efficient of root cause analysis and incident ticket resolving. Based on the relevant tickets, IT staff can correlate related system problems that happened before and perform a deeper system diagnosis. The solutions described in relevant historical tickets also provide best practices for solving similar issues…The first type is learning-based recommendation, in which the algorithm aims to maximize the rate of user response, such as the user clicks or conversations. The recommendation problem is then naturally formulated as a prediction problem. It utilizes a prediction algorithm to compute the probability of the user response on each item. Then, it recommends the one having the largest probability…Zhou et al. [2016] proposed item-based recommendation algorithms (where every incident ticket is regarded an item) to assist system administrators in resolving the incoming incident tickets that are generated by monitoring systems…”)
wherein the using of the trained machine learning program for automatically transforming original event objects into canonical event objects preferably further comprising automatically transforming any received new original event object into a new canonical event object having canonical data format, the canonical event object comprising an event-resolution workflow definition predicted by the trained ML program as a function of the received new original event object (Li Pg. 36 Section 6.2.2 “Ticket Resolution Recommendation” “Automatic techniques of recommending relevant historical tickets with resolutions can significantly improve the efficient of root cause analysis and incident ticket resolving. Based on the relevant tickets, IT staff can correlate related system problems that happened before and perform a deeper system diagnosis. The solutions described in relevant historical tickets also provide best practices for solving similar issues…The first type is learning-based recommendation, in which the algorithm aims to maximize the rate of user response, such as the user clicks or conversations. The recommendation problem is then naturally formulated as a prediction problem. It utilizes a prediction algorithm to compute the probability of the user response on each item. Then, it recommends the one having the largest probability…Zhou et al. [2016] proposed item-based recommendation algorithms (where every incident ticket is regarded an item) to assist system administrators in resolving the incoming incident tickets that are generated by monitoring systems…”)

With respect to Claim 15, Li teaches wherein the machine learning program comprising: 
An event classifier adapted to identify one out of a predefined set of event classes an original event object belongs in dependence of the data values contained in the original event object and to use the identified event object to assign the class-ID to the canonical event object generated by transform the original event object (Li pg. 7 “In many applications, the monitoring and analysis only need to extract the types of events described in the log messages…A straightforward approach to identifying the event types of log messages is the classification method, which categorizes a log message into several pre-defined event types. A simple classification method is to define a regular expression pattern for an event type. Then, when a log message is collected, if it matches a given regular expressions, it will then be categorized to the corresponding event type…”
The examiner notes for further clarity that identifying an event from a log message based on a regular expression teaches “…in dependence of the data values contained in the original event object…”
Additionally, and/or in the alternative, Pg. 8 “Recently, Tang and Li…presented a tree-structure-based clustering algorithm…which computes the similarity of log messages…The structural and format information in log messages are used in the LogTree algorithm, and the event can be generated more effectively and efficiently utilizing message segment table. The LogTree algorithm builds tree patterns for log messages, where the root of a tree pattern is the category of the log message (e.g., event types) and the leaves are the field information in messages…”)
A data value classifier adapted to identify one out of a predefined set of attribute types a data value contained in an original object belongs, the determination being performed in dependence of the position and combination of data values contained in the original event object (Li Bottom of Pg. 45:6 into 45:7 “Implementing a log parser is a straightforward solution to converting textual logs [e.g. original event object(s)] into structural events [e.g. canonical event object(s)]…The log generation code usually has some fixed patterns...the source code can be viewed as the schema of the logs, and the structure of the generated logs can be inferred from the schema. Then, the log parser makes use of the schema to determine the event type of each log message. It also can extract the variable values as the attributes of the event.” 
Additionally, and/or in the alternative, Pg. 8 “Recently, Tang and Li…presented a tree-structure-based clustering algorithm…which computes the similarity of log messages…The structural and format information in log messages are used in the LogTree algorithm, and the event can be generated more effectively and efficiently utilizing message segment table. The LogTree algorithm builds tree patterns for log messages, where the root of a tree pattern is the category of the log message (e.g., event types) and the leaves are the field information in messages…”
The examiner notes that identifying a particular data value that was extracted from a log message and using that information to generate an event (e.g. the canonical event object) teaches “A data value classifier adapted to identify one out of a predefined set of attribute types a data value contained in an original object belongs, the determination being performed in dependence of the position and combination of data values contained in the original event object”.
	The examiner notes, to clarify, the purpose, as explained in Li and indeed as claimed is to take differently formatted logs and transform them into a structured and “consistent” (e.g. canonical) format. Using the structure of a log to identify the different components of that log and using that to generate an event teaches the claim language.)
And to store the classified data values as attribute values at predefined position in the canonical event object generated by the transformation of the original event object (Li Bottom of Pg. 45:6 into 45:7 “Implementing a log parser is a straightforward solution to converting textual logs [e.g. original event object(s)] into structural events [e.g. canonical event object(s)]…The log generation code usually has some fixed patterns...the source code can be viewed as the schema of the logs, and the structure of the generated logs can be inferred from the schema. Then, the log parser makes use of the schema to determine the event type of each log message. It also can extract the variable values as the attributes of the event.” 
Additionally, and/or in the alternative, Pg. 8 “Recently, Tang and Li…presented a tree-structure-based clustering algorithm…which computes the similarity of log messages…The structural and format information in log messages are used in the LogTree algorithm, and the event can be generated more effectively and efficiently utilizing message segment table. The LogTree algorithm builds tree patterns for log messages, where the root of a tree pattern is the category of the log message (e.g., event types) and the leaves are the field information in messages…”
Pg. 45:5 Section 2.1 “Converting log messages to events provides the capability of canonically describing the semantics of log data and improves the ability of correlating the logic from multiple components…”
Pg. 45:2 “Log Data Organization: The log data are generated and collected by different system components, possibly with instrumented applications. Log Parser/Adaptor [Emphasis in original] and Event Generation [emphasis in original] enable generic data collection, integration, and transformation from multiple heterogenous data sources into the historical data collection …”)

With respect to Claim 17, Li teaches a computer system comprising: a database comprising a plurality of original event objects respectively being stored in association with a canonical event object (Li Pg. 45:3 “Section 2 investigates the methods that can transform the log data in disparate formats and contents into a canonical form, which creates consistency and enables the correlation discover across multiple logs [e.g. the claimed “a plurality of original event objects].” 
Pg. 45:5 Section 2.1 “Converting log messages [e.g. the claimed “original event objects] to events [e.g. the claimed “canonical event object] provides the capability of canonically describing the semantics of log data and improves the ability of correlating the logic from multiple components…”
Pg. 45:2 “Log Data Organization: The log data are generated and collected by different system components, possibly with instrumented applications. Log Parser/Adaptor [Emphasis in original] and Event Generation [emphasis in original] enable generic data collection, integration, and transformation from multiple heterogenous data sources into the historical data collection [e.g. the claimed “providing a database”]…”
To clarify further, the examiner notes that Li’s “log data” (e.g. the raw collected data) being transformed such that some grouping of the data is recognized or otherwise generated as an “event” teaches “a plurality of original event objects respectively being stored in association with a canonical event object.”).
wherein the original event objects being generated by one or more IT-monitoring systems (Li Pg. 45:2 “Log Data Organization: The log data are generated and collected by different system components, possibly with instrumented applications. Log Parser/Adaptor [Emphasis in original] and Event Generation [emphasis in original] enable generic data collection, integration, and transformation from multiple heterogenous data sources into the historical data collection.”
Li Pg. 45:4 Section 2 “The data in the log/trace files indicate the status of each component and are usually collected or reported when some event occurs. Contents of the data may include the running states of the component (e.g. started, interrupted, connected, and stopped), its CPU utilization, and its parameter values. 
Li Pg. 45:9 Section 3.1 “A typical example for temporal data in system management is illustrated in Figure 4. System monitoring, one important component in system management, tracks the states of a system by collecting system information…” 
The examiner notes that monitoring a system by collecting system information (e.g. logs) teaches “wherein the original event objects being generated by one or more IT-monitoring systems”.).
each of the original event object having an original data format being particular for the type of IT monitoring system having generated the original event object (Li Pg. 45:5 Section 2.1 “Each message in the example describing a certain event. To understand and analyze the behaviors of FTP visits, these messages are often converted into types of events and organized as timelines…Converting log messages to events provides the capability of canonically describing the semantics of log data and improves the ability of correlating the logs from multiple components. Due to the heterogenous nature of current systems, the log generating mechanisms result in disparate formats and contents focused on individual components. Each component may generate the data using its own format and content…”  
The examiner notes that collecting logs from disparate sources each of which have disparate formats teaches “wherein each of the original event object having an original data format being particular for the type of IT monitoring system having generated the original event object”.). 
each original event object comprising one or more data values characterizing an event (Li Pg. 45:5 Section 2.1 “Each message in the example describing a certain event. To understand and analyze the behaviors of FTP visits, these messages are often converted into types of events and organized as timelines…Converting log messages to events provides the capability of canonically describing the semantics of log data and improves the ability of correlating the logs from multiple components. Due to the heterogenous nature of current systems, the log generating mechanisms result in disparate formats and contents focused on individual components. Each component may generate the data using its own format and content…”)
the canonical event objects having a shared canonical data format (Li Pg. 45:3 “Section 2 investigates the methods that can transform the log data in disparate formats and contents into a canonical form, which creates consistency and enables the correlation discover across multiple logs…” 
The examiner notes that transforming log data into a canonical form which creates consistency teaches “wherein the canonical event objects having a shared canonical data format”. To clarify, when Li generates or otherwise creates events from the disparate log data, each of those events, while potentially starting in a different data format, now, after transformation, have a common data format (e.g. whatever data format the event is).).
each canonical event object comprising a class-ID being indicative of the one out of a plurality of event classes to which its associated original event object has been manually and/or automatically assigned for handling the event represented by the original event object (Li 45:5 Section 2.1 “Each message in the example describing a certain event. To understand and analyze the behaviors of FTP visits, these messages are often converted into types of events and organized as timelines…By organizing the messages into a set of common semantic events (also termed “situations” or “categories”), that is, adding a semantic situation type to a message…, the transformed representation creates consistency, enables the correlation discovery across multiple logs, and also provides the initial connections of syntax to semantics…”
Li Pg. 45:7 section 2.4 Log Message Classification “A straightforward approach to identifying the event types of log messages is the classification method, which categorizes a log message into several pre-defined event types. A simple classification method is to define a regular expression pattern for an event type. Then, when a log message is collected, if it matches the given regular expression, it will then be categorized to the corresponding event type.” 
The examiner notes that classifying or otherwise finding categories in which the log messages (e.g. original event object(s)) belong teaches “wherein each canonical event object comprising a class-ID being indicative of the one out of a plurality of event classes to which its associated original event object has been assigned for handling the event represented by the original event object”.)
the canonical event object comprising one or more attribute values derived from the data values of the associated original event object (Li Bottom of Pg. 45:6 into 45:7 “Implementing a log parser is a straightforward solution to converting textual logs [e.g. original event object(s)] into structural events [e.g. canonical event object(s)]…The log generation code usually has some fixed patterns...the source code can be viewed as the schema of the logs, and the structure of the generated logs can be inferred from the schema. Then, the log parser makes use of the schema to determine the event type of each log message. It also can extract the variable values as the attributes of the event.” 
Li Pg. 45:4 “The data in the log/trace files indicate the status of each component and are usually collected or reported when some event occurs. Contents of the data may include the running states of the component..., its CPU utilization, and its parameter values...” 
The examiner notes that an event (e.g. canonical event object) which contains extracted variable values from the log message (e.g. original event object) as attributes of the event teaches “the canonical event object comprising one or more attribute values derived from the data values of the associated original event object”.)
A machine learning framework configured to apply a learning algorithm on the associated original and canonical event objects for generating a trained machine learning program adapted to transform an original event object of any one of the one or more original data formats into a canonical event object having the canonical data format (Li Pg. 45:7 “Another approach for log message classification is the learning-based method. Users can provide some labeled log messages, where the event type of each log message is assigned. Then, the learning algorithm builds [e.g. generates] a classification model using the labeled data to classify incoming log messages…”
The examiner notes, and to further clarify, Li’s learning-based method is trained on log messages (e.g. original event objects) that have been labeled (e.g. transformed into canonical event objects). Then, based on this training set, a classification model is generated to label incoming log messages (e.g. original event object) into an event which has an event type (e.g. canonical event object). This learning of event types which is then applied to incoming log messages teaches “executing a learning algorithm on the associated original and canonical event objects for generating a trained machine learning program adapted to transform an original event object of any one of the one or more original data formats into a canonical event object having the canonical data format”.).
With respect to Claim 18, Li teaches a computer system comprising: 
a trained machine learning program configured to transform original event objects having one or more original data format into a canonical event object having canonical data format (Li Pg. 45:7 “Another approach for log message classification is the learning-based method. Users can provide some labeled log messages, where the event type of each log message is assigned. Then, the learning algorithm builds [e.g. generates] a classification model using the labeled data to classify incoming log messages…”
The examiner notes, and to further clarify, Li’s learning-based method is trained on log messages (e.g. original event objects) that have been labeled (e.g. transformed into canonical event objects). Then, based on this training set, a classification model is generated to label incoming log messages (e.g. original event object) into an event which has an event type (e.g. canonical event object). This learning of event types which is then applied to incoming log messages teaches “a trained machine learning program configured to transform original event objects having one or more original data format into a canonical event object having canonical data format”.).
each of the original event objects comprising one or more data values characterizing an event (Li Pg. 45:5 Section 2.1 “Each message in the example describing a certain event. To understand and analyze the behaviors of FTP visits, these messages are often converted into types of events and organized as timelines…Converting log messages to events provides the capability of canonically describing the semantics of log data and improves the ability of correlating the logs from multiple components. Due to the heterogenous nature of current systems, the log generating mechanisms result in disparate formats and contents focused on individual components. Each component may generate the data using its own format and content…”)
the canonical data format being processable by a local or remote event handling system (Li Pg. 45:34 Section 6.1 “The typical workflow for the IT service provider prescribed by the ITIL specification…involving problem detection, determination, and resolution is shown in Figure 16…In terms of problem detection, the monitoring system runes on the servers, which computes metrics for the performances of hardware and software at regular intervals. The system then compares those metrics with acceptable thresholds called monitoring situations [emphasis in original], and any violation would result in an alert. An event will be emitted by the monitoring if the alert persists beyond a predefined delay. Events coming from an IT environment [e.g. those events as labeled/classified/otherwise automatically transformed] are consolidated in an enterprise console, which analyzes the monitoring events as well as creates incident tickets in a ticketing system…” 
The examiner notes that, as shown above, the events are generated by at least a trained classification model. And, as seen, incident tickets are created. The examiner notes that the incoming automatically transformed events being assigned (e.g. creating) an incident ticket in a ticketing system teaches “…the canonical data format being processable by a local or remote event handling system”.). 
each of the original data format of each of the original event objects being particular for the type of IT monitoring system having generated the original event object (Li Pg. 45:5 Section 2.1 “Each message in the example describing a certain event. To understand and analyze the behaviors of FTP visits, these messages are often converted into types of events and organized as timelines…Converting log messages to events provides the capability of canonically describing the semantics of log data and improves the ability of correlating the logs from multiple components. Due to the heterogenous nature of current systems, the log generating mechanisms result in disparate formats and contents focused on individual components. Each component may generate the data using its own format and content…”  
The examiner notes that collecting logs from disparate sources each of which have disparate formats teaches “each of the original event object having an original data format being particular for the type of IT monitoring system having generated the original event object”.). 
an interface for receiving a new original event object from one or more active IT-monitoring systems, each of the active IT-monitoring systems (Li Pg. 45:2 “Log Data Organization: The log data are generated and collected by different system components, possibly with instrumented applications. Log Parser/Adaptor [Emphasis in original] and Event Generation [emphasis in original] enable generic data collection, integration, and transformation from multiple heterogenous data sources into the historical data collection.”
Li Pg. 45:4 Section 2 “The data in the log/trace files indicate the status of each component and are usually collected or reported when some event occurs. Contents of the data may include the running states of the component (e.g. started, interrupted, connected, and stopped), its CPU utilization, and its parameter values. 
Li Pg. 45:9 Section 3.1 “A typical example for temporal data in system management is illustrated in Figure 4. System monitoring, one important component in system management, tracks the states of a system by collecting system information…”)
an interface to the local or remote event handling system (Li c.f. Figure 16 Note the events going to the enterprise console. The sending of events from a customer server to an enterprise console teaches “an interface to the local or remote event handling system”). 

and a transformation coordination program adapted to: using the trained machine learning program for automatically transforming the received new original event object into a new canonical event object having canonical data format, the canonical event object comprising one or more attribute values derived from the data values of the associated original event object (Li Pg. 45:7 “Another approach for log message classification is the learning-based method. Users can provide some labeled log messages, where the event type of each log message is assigned. Then, the learning algorithm builds [e.g. generates] a classification model using the labeled data to classify incoming log messages…”
Li Bottom of Pg. 45:6 into 45:7 “Implementing a log parser is a straightforward solution to converting textual logs [e.g. original event object(s)] into structural events [e.g. canonical event object(s)]…The log generation code usually has some fixed patterns...the source code can be viewed as the schema of the logs, and the structure of the generated logs can be inferred from the schema. Then, the log parser makes use of the schema to determine the event type of each log message. It also can extract the variable values as the attributes of the event.” 
Li Pg. 45:4 “The data in the log/trace files indicate the status of each component and are usually collected or reported when some event occurs. Contents of the data may include the running states of the component..., its CPU utilization, and its parameter values...”)
and providing the new canonical event object to the event handling system for automatically handling the new event represented by the new canonical event object as a function of the attribute values contained in the new canonical event object (Li Pg. 45:34 Section 6.1 “The typical workflow for the IT service provider prescribed by the ITIL specification…involving problem detection, determination, and resolution is shown in Figure 16…In terms of problem detection, the monitoring system runes on the servers, which computes metrics for the performances of hardware and software at regular intervals. The system then compares those metrics with acceptable thresholds called monitoring situations [emphasis in original], and any violation would result in an alert. An event will be emitted by the monitoring if the alert persists beyond a predefined delay. Events coming from an IT environment [e.g. those events as labeled/classified/otherwise automatically transformed] are consolidated in an enterprise console, which analyzes the monitoring events as well as creates incident tickets in a ticketing system…” 
The examiner notes that, as shown above, the events are generated by at least a trained classification model. And, as seen, incident tickets are created. The examiner notes that the incoming automatically transformed events being assigned (e.g. creating) an incident ticket in a ticketing system teaches “…and providing the new canonical event object to the event handling system for automatically handling the new event represented by the new canonical event object as a function of the attribute values contained in the new canonical event object”.)
With respect to Claim 19, Li teaches further comprising the event handling system (Li Pg. 45:34 Section 6.1 “The typical workflow for the IT service provider prescribed by the ITIL specification…involving problem detection, determination, and resolution is shown in Figure 16…In terms of problem detection, the monitoring system runes on the servers, which computes metrics for the performances of hardware and software at regular intervals. The system then compares those metrics with acceptable thresholds called monitoring situations [emphasis in original], and any violation would result in an alert. An event will be emitted by the monitoring if the alert persists beyond a predefined delay. Events coming from an IT environment [e.g. those events as labeled/classified/otherwise automatically transformed] are consolidated in an enterprise console, which analyzes the monitoring events as well as creates incident tickets in a ticketing system…” 
The examiner notes that, as shown above, the events are generated by at least a trained classification model. And, as seen, incident tickets are created. The examiner notes that the incoming automatically transformed events being assigned (e.g. creating) an incident ticket in a ticketing system teaches “further comprising the event handling system”.)

With respect to Claim 20, Li teaches A computer program product for processing events, the computer program product comprising: one or more computer-readable tangible storage medium and program instructions stored on at least one of the one or more tangible storage medium, the program instructions executable by a processor, the program instructions comprising: program instructions to provide a database comprising a plurality of original event objects respectively being stored in association with a canonical event object (Li Pg. 45:3 “Section 2 investigates the methods that can transform the log data in disparate formats and contents into a canonical form, which creates consistency and enables the correlation discover across multiple logs [e.g. the claimed “a plurality of original event objects].” 
Pg. 45:5 Section 2.1 “Converting log messages [e.g. the claimed “original event objects] to events [e.g. the claimed “canonical event object] provides the capability of canonically describing the semantics of log data and improves the ability of correlating the logic from multiple components…”
Pg. 45:2 “Log Data Organization: The log data are generated and collected by different system components, possibly with instrumented applications. Log Parser/Adaptor [Emphasis in original] and Event Generation [emphasis in original] enable generic data collection, integration, and transformation from multiple heterogenous data sources into the historical data collection [e.g. the claimed “providing a database”]…”
To clarify further, the examiner notes that Li’s “log data” (e.g. the raw collected data) being transformed such that some grouping of the data is recognized or otherwise generated as an “event” teaches “a plurality of original event objects respectively being stored in association with a canonical event object.”).
wherein the original event objects being generated by one or more IT-monitoring systems (Li Pg. 45:2 “Log Data Organization: The log data are generated and collected by different system components, possibly with instrumented applications. Log Parser/Adaptor [Emphasis in original] and Event Generation [emphasis in original] enable generic data collection, integration, and transformation from multiple heterogenous data sources into the historical data collection.”
Li Pg. 45:4 Section 2 “The data in the log/trace files indicate the status of each component and are usually collected or reported when some event occurs. Contents of the data may include the running states of the component (e.g. started, interrupted, connected, and stopped), its CPU utilization, and its parameter values. 
Li Pg. 45:9 Section 3.1 “A typical example for temporal data in system management is illustrated in Figure 4. System monitoring, one important component in system management, tracks the states of a system by collecting system information…” 
The examiner notes that monitoring a system by collecting system information (e.g. logs) teaches “wherein the original event objects being generated by one or more IT-monitoring systems”.).

wherein each of the original event object having an original data format being particular for the type of IT monitoring system having generated the original event object (Li Pg. 45:5 Section 2.1 “Each message in the example describing a certain event. To understand and analyze the behaviors of FTP visits, these messages are often converted into types of events and organized as timelines…Converting log messages to events provides the capability of canonically describing the semantics of log data and improves the ability of correlating the logs from multiple components. Due to the heterogenous nature of current systems, the log generating mechanisms result in disparate formats and contents focused on individual components. Each component may generate the data using its own format and content…”  
The examiner notes that collecting logs from disparate sources each of which have disparate formats teaches “wherein each of the original event object having an original data format being particular for the type of IT monitoring system having generated the original event object”.). 
wherein each original event object comprising one or more data values characterizing an event (Li Pg. 45:5 Section 2.1 “Each message in the example describing a certain event. To understand and analyze the behaviors of FTP visits, these messages are often converted into types of events and organized as timelines…Converting log messages to events provides the capability of canonically describing the semantics of log data and improves the ability of correlating the logs from multiple components. Due to the heterogenous nature of current systems, the log generating mechanisms result in disparate formats and contents focused on individual components. Each component may generate the data using its own format and content…”)
wherein the canonical event objects having a shared canonical data format (Li Pg. 45:3 “Section 2 investigates the methods that can transform the log data in disparate formats and contents into a canonical form, which creates consistency and enables the correlation discover across multiple logs…” 
The examiner notes that transforming log data into a canonical form which creates consistency teaches “wherein the canonical event objects having a shared canonical data format”. To clarify, when Li generates or otherwise creates events from the disparate log data, each of those events, while potentially starting in a different data format, now, after transformation, have a common data format (e.g. whatever data format the event is).).
wherein each canonical event object comprising a class-ID being indicative of the one out of a plurality of event classes to which its associated original event object has been assigned for handling the event represented by the original event object (Li 45:5 Section 2.1 “Each message in the example describing a certain event. To understand and analyze the behaviors of FTP visits, these messages are often converted into types of events and organized as timelines…By organizing the messages into a set of common semantic events (also termed “situations” or “categories”), that is, adding a semantic situation type to a message…, the transformed representation creates consistency, enables the correlation discovery across multiple logs, and also provides the initial connections of syntax to semantics…”
Li Pg. 45:7 section 2.4 Log Message Classification “A straightforward approach to identifying the event types of log messages is the classification method, which categorizes a log message into several pre-defined event types. A simple classification method is to define a regular expression pattern for an event type. Then, when a log message is collected, if it matches the given regular expression, it will then be categorized to the corresponding event type.” 
The examiner notes that classifying or otherwise finding categories in which the log messages (e.g. original event object(s)) belong teaches “wherein each canonical event object comprising a class-ID being indicative of the one out of a plurality of event classes to which its associated original event object has been assigned for handling the event represented by the original event object”.)
the canonical event object comprising one or more attribute values derived from the data values of the associated original event object (Li Bottom of Pg. 45:6 into 45:7 “Implementing a log parser is a straightforward solution to converting textual logs [e.g. original event object(s)] into structural events [e.g. canonical event object(s)]…The log generation code usually has some fixed patterns...the source code can be viewed as the schema of the logs, and the structure of the generated logs can be inferred from the schema. Then, the log parser makes use of the schema to determine the event type of each log message. It also can extract the variable values as the attributes of the event.” 
Li Pg. 45:4 “The data in the log/trace files indicate the status of each component and are usually collected or reported when some event occurs. Contents of the data may include the running states of the component..., its CPU utilization, and its parameter values...” 
The examiner notes that an event (e.g. canonical event object) which contains extracted variable values from the log message (e.g. original event object) as attributes of the event teaches “the canonical event object comprising one or more attribute values derived from the data values of the associated original event object”.)
Program instructions to execute a learning algorithm on the associated original and canonical event objects for generating a trained machine learning program adapted to transform an original event object of any one of the one or more original data formats into a canonical event object having the canonical data format (Li Pg. 45:7 “Another approach for log message classification is the learning-based method. Users can provide some labeled log messages, where the event type of each log message is assigned. Then, the learning algorithm builds [e.g. generates] a classification model using the labeled data to classify incoming log messages…”
The examiner notes, and to further clarify, Li’s learning-based method is trained on log messages (e.g. original event objects) that have been labeled (e.g. transformed into canonical event objects). Then, based on this training set, a classification model is generated to label incoming log messages (e.g. original event object) into an event which has an event type (e.g. canonical event object). This learning of event types which is then applied to incoming log messages teaches “executing a learning algorithm on the associated original and canonical event objects for generating a trained machine learning program adapted to transform an original event object of any one of the one or more original data formats into a canonical event object having the canonical data format”.).
Program instructions to use the trained machine learning program for automatically transforming original event objects generated by an active IT-monitoring system into canonical event objects… (Li Pg. 45:7 “Another approach for log message classification is the learning-based method. Users can provide some labeled log messages, where the event type of each log message is assigned. Then, the learning algorithm builds [e.g. generates] a classification model using the labeled data to classify incoming log messages…” 
The examiner notes that using the generated classification model (e.g. trained model) to classify incoming log messages (e.g. original event object(s)) into an event with an event type (e.g. canonical event object(s)) teaches “…and using the trained machine learning program for automatically transforming original event objects generated by an active IT-monitoring system into canonical event objects”.).
 …respectively being processable by an event handling system (Li Pg. 45:34 Section 6.1 “The typical workflow for the IT service provider prescribed by the ITIL specification…involving problem detection, determination, and resolution is shown in Figure 16…In terms of problem detection, the monitoring system runes on the servers, which computes metrics for the performances of hardware and software at regular intervals. The system then compares those metrics with acceptable thresholds called monitoring situations [emphasis in original], and any violation would result in an alert. An event will be emitted by the monitoring if the alert persists beyond a predefined delay. Events coming from an IT environment [e.g. those events as labeled/classified/otherwise automatically transformed] are consolidated in an enterprise console, which analyzes the monitoring events as well as creates incident tickets in a ticketing system…” 
The examiner notes that, as shown above, the events are generated by at least a trained classification model. And, as seen, incident tickets are created. The examiner notes that the incoming automatically transformed events being assigned (e.g. creating) an incident ticket in a ticketing system teaches “…respectively being processable by an event handling system”.”).




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


For clarity of record and ease of reading, the examiner notes the following: 
Any text that is bolded is a limitation of a claim. 
The “teaching” or reference citation, along with any necessary examiner notes are contained within the parentheses “()” following the bolded claim language. 
Any text that is underlined is emphasized language from reference(s) used and/or particular important examiner notes. While NOT fully reflective of the rejection as a whole, these underlined passages are indicative or otherwise reflective of key evidence.   

Claim(s) 9 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Li, Tao et. al. (“Data-Driven Techniques in Computing System Management”, NPL 2017, hereinafter “Li”) and further in view of Salahshour et al. (US 7,895,137 B2, hereinafter Salahshour)

With respect to Claim 9, Li teaches 
preprocessing the received original event object, the preprocessed original event object being transformed by the machine learning program into the new canonical event object, the preprocessing comprising: applying one or more natural language processing functions on the new original event object for extracting one or more data values contained in the new original event object (Li Section 2.3 Pg. 6 “Implementing a log parser is a straightforward solution to converting textual logs into structural events…In particular, using the Common Base Event (CBE) format, the Generic Log Adaptor (GLA) provided in the IBM Autonomic Computing toolkit allows for generic data collection from heterogenous data sources…The output is a log parser or some information to be embedded into a log parser…The log generation code usually has some fixed patterns. As mentioned in Xu…the source code can be viewed as the schema of the logs, and the structure of the generated logs can be inferred from the schema. Then, the log parser makes use of the schema to determine the event type of each log message. It also can extract the variable values as the attributes of the event.”  
Li pg. 7 “In many applications, the monitoring and analysis only need to extract the types of events described in the log messages…A straightforward approach to identifying the event types of log messages is the classification method, which categorizes a log message into several pre-defined event types. A simple classification method is to define a regular express pattern [e.g. claimed “natural language processing function] for an event type. Then, when a log message is collected, if it matches a given regular expressions, it will then be categorized to the corresponding event type…” 
The examiner first notes the interpretation given to at least this limitation in the Claim interpretation section above. Using a log parser to take textual logs and transform them into structural events where the log parser can extract the variable values as attributes of the events teaches “applying one or more natural language processing functions on the new original event object for extracting one or more data values contained in the new original event object”.)
applying a parser on the new original event object for extracting one or more data values contained in the new original event object (Li Section 2.3 Pg. 6 “Implementing a log parser is a straightforward solution to converting textual logs into structural events…In particular, using the Common Base Event (CBE) format, the Generic Log Adaptor (GLA) provided in the IBM Autonomic Computing toolkit allows for generic data collection from heterogenous data sources…The output is a log parser or some information to be embedded into a log parser…The log generation code usually has some fixed patterns. As mentioned in Xu…the source code can be viewed as the schema of the logs, and the structure of the generated logs can be inferred from the schema. Then, the log parser makes use of the schema to determine the event type of each log message. It also can extract the variable values as the attributes of the event.”  
The examiner first notes the interpretation given to at least this limitation in the Claim interpretation section above. Using a log parser to take textual logs and transform them into structural events where the log parser can extract the variable values as attributes of the events teaches “applying a parser on the new original event object for extracting one or more data values contained in the new original event object”.).
checking if the extracted data values comprise one or more distinct event class names and, if so, assigning an event class label to the extracted data value (Li pg. 7 “In many applications, the monitoring and analysis only need to extract the types of events described in the log messages…A straightforward approach to identifying the event types of log messages is the classification method, which categorizes a log message into several pre-defined event types. A simple classification method is to define a regular express pattern [e.g. claimed “natural language processing function] for an event type. Then, when a log message is collected, if it matches a given regular expressions, it will then be categorized to the corresponding event type…”).
…
adding one or more data values extracted from the original event object by a natural language processing function as attribute values or as event class names to the preprocessed original event object (Li Section 2.3 Pg. 6 “Implementing a log parser is a straightforward solution to converting textual logs into structural events…In particular, using the Common Base Event (CBE) format, the Generic Log Adaptor (GLA) provided in the IBM Autonomic Computing toolkit allows for generic data collection from heterogenous data sources…The output is a log parser or some information to be embedded into a log parser…The log generation code usually has some fixed patterns. As mentioned in Xu…the source code can be viewed as the schema of the logs, and the structure of the generated logs can be inferred from the schema. Then, the log parser makes use of the schema to determine the event type of each log message. It also can extract the variable values as the attributes of the event.”)
Li, however, does appear to explicitly disclose: 
checking if the extracted data values comprise one or more distinct attribute names and, if so, assigning a data field name to the extracted data value, the data field name being chosen in accordance with the canonical data format 
Salahshour teaches checking if the extracted data values comprise one or more distinct attribute names and, if so, assigning a data field name to the extracted data value, the data field name being chosen in accordance with the canonical data format (Col. 3 Lines 55-67 “The Generic Log Adapter (GLA) is a rule-based tool that transforms software log events into the [Common Base Event] CBE [e.g.  claimed canonical data object] event format of the autonomic computing architecture…Parser 124 defines a set of string mappings to convert the message received from the extractor 122 to Common Base Event entries…” Col. 4 Lines 1-15 “…and an attribute processing phase implements a specific set of substitution rules that are executed to determine the attribute values. Furthermore, Parser 124 may ‘tokenize’ the message into a series of name-value-pairs during the global processing phase, and then refer to these by name during the attribute processing phase. Formatter 126 receives the attributes and their values from parser 124 and then creates the CBE object instance [e.g. canonical data format/object] …” 
The examiner notes that receiving extracted attribute value name-pairs (e.g. one or more distinct attribute names), tokenizing, and referring to these pairs when creating and formatting the common base event object teaches “checking if the extracted data values comprise one or more distinct attribute names and, if so, assigning a data field name to the extracted data value, the data field name being chosen in accordance with the canonical data format”.).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the preprocessing using the parser and natural language functions as taught by Li modified with the checking of attribute values to map data to a common data format as taught by Salahshour because this would allow for the efficient mapping of numerous log messages (in possibly different formats); in turn, this would save time when processing events (Salahshour Col. 1 Lines 55-62). 
With respect to Claim 16, the combination of Li and Salahshour teach 
analyzing the canonical event objects in the database for determining if some or all canonical event objects lack an attribute value required according to the canonical data format (Salahshour Col. 5 Lines 42-65 “At a high level, SMC-R 202 provides situation categories to IT messages/event using a two-tiered classification process. After the message is identified, map annotator 212 of SMC-R 202 check event-to-situation mapping file 222 for the message identifier, when available from SMC-O 204. If the message is matched, the situation category is appended to the IT resource event. If the message is not listed in event-to-situation mapping file 222, SMC-R 202 invokes one or more computationally intensive classification processes. IN the second tier, classification rules are applied to the IT resource message for obtaining unique weighted situation categories…from each classifier. The message is annotated with weighting (confidence) information and with a corresponding situation category from classifiers that found a situation match…The optional annotators are used to handle any new or those messages/events that could not find a match in the event-to-situation map file. These annotators may add situation category, confidence level, etc. to the incoming IT resource messages/events…[Col. 6 Lines 2-3] and the result is added to the event (e.g. the CBE formatted event)…” 
The examiner notes that analyzing a message/event for a situation category (e.g. the claimed “…an attribute value required according to the canonical data format…”) and NOT finding a situation category teaches “analyzing the canonical event objects in the database for determining if some or all canonical event objects lack an attribute value required according to the canonical data format”.)
based on determining that at least one of the canonical event objects lacks an attribute value required according to the canonical data format, applying the trained ML program on the original event objects in the database to create updated versions of the canonical event objects that comprise the attribute value that was determined to be lacking (Salahshour Col. 5 Lines 42-65 “At a high level, SMC-R 202 provides situation categories to IT messages/event using a two-tiered classification process. After the message is identified, map annotator 212 of SMC-R 202 check event-to-situation mapping file 222 for the message identifier, when available from SMC-O 204. If the message is matched, the situation category is appended to the IT resource event. If the message is not listed in event-to-situation mapping file 222, SMC-R 202 invokes one or more computationally intensive classification processes. In the second tier, classification rules are applied to the IT resource message for obtaining unique weighted situation categories…from each classifier. The message is annotated with weighting (confidence) information and with a corresponding situation category from classifiers that found a situation match…The optional annotators are used to handle any new or those messages/events that could not find a match in the event-to-situation map file. These annotators may add situation category, confidence level, etc. to the incoming IT resource messages/events…[Col. 6 Lines 2-3] and the result is added to the event (e.g. the CBE formatted event)…”
The examiner notes that applying classification rules to find a situation category (e.g. the claimed attribute value required) and appending that found or otherwise classified situation category teaches “based on determining that at least one of the canonical event objects lacks an attribute value required according to the canonical data format, applying the trained ML program on the original event objects in the database to create updated versions of the canonical event objects that comprise the attribute value that was determined to be lacking”.)
retraining the trained ML program on the original event objects and the respectively assigned updated versions of the canonical data objects in the database for providing a re-trained version of the machine-learning program (Salahshour Col. 6 Lines 6-12 “The process includes data preprocessing/formatting, an initial classifier based on some initial seed and/or current knowledge, a reviewing process that allows a user (expert) to modify the classification results and rules, with data mining and machine learning algorithms that can learn from examples and build knowledge and rules needed for classifiers…[Col. 6 lines 50-56] Finally, in the case that a catalog was the source of the data, an event to situation table is generated of (catalog entry identifier, situation) pairs. By the end of the process, the stored parsed data is now labeled and reviewed, and may be used as a training set for supervised learning. As a by-product of the iterative process, a keyword rule classifier is also generated from the labeled data set.”). 


Claim(s) 5-6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Li, Tao et. al. (“Data-Driven Techniques in Computing System Management”, NPL 2017, hereinafter “Li”) and further in view of Vojir et al. (“Business Rule Learning with Interactive Selection of Association Rules”, NPL 2014). 
With respect to Claim 5, Li teaches all of the limitations of Claim 1 as discussed above.
Li additionally teaches …one or more explicit event object transformation rules…explicit event object transformation rules…the transformation of the original event object into the canonical event object in accordance with the input event object transformation rules (Li Pg. 45:3 “Section 2 investigates the methods that can transform the log data in disparate formats and contents into a canonical form, which creates consistency and enables the correlation discover across multiple logs…” Li Pg. 45:7 “Another approach for log message classification is the learning-based method. Users can provide some labeled log messages, where the event type of each log message is assigned. Then, the learning algorithm builds [e.g. generates] a classification model using the labeled data to classify incoming log messages…” 
The examiner notes that using a classifier or other method as disclosed in Li section 2 which “…transform[s] the log data in disparate formats…into a canonical form…” teaches “…one or more explicit event object transformation rules…explicit event object transformation rules…the transformation of the original event object into the canonical event object in accordance with the input event object transformation rules”)

Li, however, does not appear to explicitly disclose:
exporting, by the trained machine-learning program, … rules; 
inputting the… rules into a rules engine; and
performing, by the rules engine, … 

Vojir teaches exporting, by the trained machine-learning program,… rules (Vojir Pg. 1 “This paper presents a complete implementation of a prototype decision support system, which: automatically learns decision rules from data, allows the domain expert to edit the result rule base, deploys the rules to a Business Rule Management System (BRMS), which can apply the rules to score incoming objects…”
Pg. 3 “Within one web application, the user can launch multiple rule learning tasks, export selected rules to the knowledge base (business rule base), edit the saved rules and apply the rules on test data.”
See Figure 1. Note the steps and especially note the arrow from “Classification model testing” to “Business rule base”
The examiner notes that exporting selected learned rules to a knowledge base (business rule base) (e.g. claimed “rules engine”) teaches “exporting, by the trained machine-learning program, one or more explicit event object transformation rules.”)
inputting … rules into a rules engine (Vojir Pg. 1 “This paper presents a complete implementation of a prototype decision support system, which: automatically learns decision rules from data, allows the domain expert to edit the result rule base, deploys the rules to a Business Rule Management System (BRMS), which can apply the rules to score incoming objects…”
Pg. 3 “Within one web application, the user can launch multiple rule learning tasks, export selected rules to the knowledge base (business rule base), edit the saved rules and apply the rules on test data.”
See Figure 1. Note the steps and especially note the arrow from “Classification model testing” to “Business rule base”
The examiner notes that taking the rules learned by the classification model and sending or otherwise exporting them to a rules engine or otherwise deploying the rules to a Business Rule Management System teaches “inputting the explicit event object transformation rules into a rules engine”.)
performing, by the rules engine, … (Vojir Pg. 1 “This paper presents a complete implementation of a prototype decision support system, which: automatically learns decision rules from data, allows the domain expert to edit the result rule base, deploys the rules to a Business Rule Management System (BRMS), which can apply the rules to score incoming objects…” 
The examiner notes that deploying the rules to a management system which then applies the rules to incoming objects teaches “performing, by the rules engine, ...”.)
	It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the object transformation rules as taught by Li  modified with the exporting and application of the rules engine as taught by Vojir because using a rules engine to perform the transformation would allow the user to easily select rules, export rules, edit rules, and at least apply rules all within one platform; this would, in turn, improve the user’s experience because conducting all of at least the above operations in one platform would save time (Vojir Pg. 3 “Here we present EasyMiner-BR…EasyMiner-BR covers the entire workflow in a single environment…”).
	With respect to Claim 6, the combination of Li and Vojir teaches generating a GUI that enables a user to modify and/or confirm the one or more explicit event object transformation rules (As an initial matter, the phrase “and/or”, while believed to be definite, will be interpreted as “at least one of”. That is, the limitation is met by the prior art if the prior art teaches at least one of “modify” or “confirm”. 
	Vojir Pg. 7 c.f. Figure 3. Pg. 7 “The rule editor (Fig. 3) allows the user to edit the rules exported from the rule clipboard, delete them, and add new rules.”)
 	
Claim(s) 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Li, Tao et. al. (“Data-Driven Techniques in Computing System Management”, NPL 2017, hereinafter “Li”) and further in view of Srivastava (US 2019/0251487 A1)
With respect to Claim 11, Li teaches all of the limitations of Claim 10 as described above. 
Li, however, does not appear to explicitly disclose: 
Analyzing, by the event handling system, the priority level of the new canonical event object for automatically prioritizing the new event in accordance with its priority level
Srivastava teaches analyzing, by the event handling system, the priority level of the new canonical event object for automatically prioritizing the new event in accordance with its priority level (Srivastava Pg. 6 [0109] “The application server 102 has the ability to create, update, process and link tickets automatically…The user 110 can define various ticket parameter including type, category, severity, priority and other annotations as needed. The application server 102 can also automatically determine the transactions that should be converted into tickets and can convert them into tickets. The application server 102 processes any generated or created tickets through a set of AI models designed to produce classifications for tickets in real time and appends the AI driven classifications to the tickets…[0123] n. priority…[0128] The application server can analyze the content of the ticket and assign the ticket automatically…The application server 102 uses the following information as input to determine who to assign the ticket…[0131] c. the priority of the ticket. [0132] d. the severity of the ticket…” 
The examiner notes that assigning a ticket automatically based on the appended priority of the ticket based on the analysis of the ticket teaches “analyzing, by the event handling system, the priority level of the new canonical event object for automatically prioritizing the new event in accordance with its priority level”.)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the incident tickets and severity codes as taught by Li modified with the automatic analysis and automatic assignment of tickets based on priority level as taught by Srivastava because this would allow the ticket system (e.g. event handling system) to more efficiently and quickly process tickets leading to an improved user experience (Srivastava Pg. 6). 

Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
1. Das et al. “Extracting and Labeling Custom Information from Log Messages”, US 2018/0285432 A1. Similar Inventive Concept. Note Especially Fig. 3A and the Log Processing Pipeline 308. 
2. Grabarnik et al. “Smart Event Parser for Autonomic Computing” US 2004/0128674. Similar inventive concept. Note Especially Figure 1 in comparison to Instant figure 1. 
3. Grabarnik et al. 2 “Peer Based Event Conversion” US 2008/0082473 A1. Very Similar Inventive Concept. Note abstract: “A rule set to convert an event into a standardized format…” 
4. Aggarwal, Vishalaksh et al. “ReAct: A system for Recommending Action for Rapid Resolution of IT service Incidents”, NPL 2016. Discusses how to process IT tickets such that the best resolution for an incident can be recommended to a user. Note Figure 3. 
5. Kotsifakos, Evangelos E. et al. “Pattern-Miner: Integrated Management and Mining over Data Mining Models”, NPL 2008. Note Figure 1. Discusses extracting rules from patterns and using those rules to structure similar messages. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FEN TAMULONIS whose telephone number is (571)272-0934. The examiner can normally be reached 7:30AM-5:30PM MON-FRI EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ann Lo can be reached on (571)-272-9767. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FEN CHRISTOPHER TAMULONIS/Examiner, Art Unit 2126   
/ANN J LO/Supervisory Patent Examiner, Art Unit 2126