Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This is in reply to papers filed on 11/23/2020. Claims 21-40 are pending. Claims 21 and 38 is/are independent.

Information Disclosure Statement
	The information disclosure statement(s) (IDS) submitted on 07/31/2020 is/are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement(s) is/are being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 21 and 25-38 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-25 of U.S. Patent No. 10,771,486 (U.S. Patent Application No. 15/715,015) in view of Srinivasan et al. U.S. Patent No. 8676841 (hereinafter “Srinivasan”). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of U.S. Patent No. 10,771,486 render obvious the claims of the present application. Claims 1-25 of U.S. Patent No. 10,771,486 contain most elements of claims 21 and 38 of the instant application, except the features of identifying a plurality of meta-notable events by determining that a plurality of sets of notable events from the plurality of notable events satisfy a meta-notable event rule and causing display of a graphical representation of notable events from the plurality of sets of notable events, wherein the graphical representation includes an indication of a notable event that is included in at least two of the plurality of sets of notable events.  
Srinivasan at 21:62-64 and 21:48-56 teaches that all matches may be stored, which would include storing multiple bindings of events under a rule of a finite state automaton. Furthermore, Srinivasan at 21:58-60 and 28:64-29:3 teaches that a matched pattern is output, which would include outputting (i.e., displaying) the events of the matched pattern. It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the method recited in claim 1 of U.S. Patent No. 10,771,486 to include 
identifying a plurality of meta-notable events by determining that a plurality of sets of notable events from the plurality of notable events satisfy a meta-notable event rule
andcausing display of a graphical representation of notable events from the plurality of sets of notable events, wherein the graphical representation includes an indication of a notable event that is included in at least two of the plurality of sets of notable events, as taught by Srinivasan, in order to improve the matching of events to a rule to include multiple sets of matching events, and to facilitate display of events matching the rule. In addition, Claims 1-25 of U.S. Patent No. 10,771,486 contain every element of claims 26-37; and the features of claim 25 (related to the records of meta-notable events) are taught by Srinivasan 14:1-30 table C and 21:63-64.



Claim Rejections - 35 USC § 102
	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claim(s) 21, 25-26, 29, 31-33, and 35-40 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Srinivasan et al. U.S. Patent No. 8676841 (hereinafter “Srinivasan”)
As per claim 21, Srinivasan discloses 
A computer-implemented method comprising: identifying a plurality of notable events by executing a plurality of correlation searches against timestamped event data stored by a data intake and query system; 
( 
stored by a data intake and query system = the events received through the streams and stored in RAM or disk drive of the server 102 Srinivasan 6:13-24; 4:8-14; 21:62-64 
data intake and query system = server 102
the view that is generated represents the data structure that is used to store the events that are obtained from the streams and to make such events available for queries [Srinivasan 6:13-24; 53:17-31]
identifying a plurality of notable events by executing a plurality of correlation searches is disclosed by performing the union operation on multiple input streams to define a view after events, each of the streams has a search performed against it for events and therefore there is a plurality of correlation searches Srinivasan 6:13-24
)
Srinivasan 10:15-17 (63) FIG. 3 is a simplified flowchart 300 depicting a method of performing pattern matching on an event stream
Srinivasan 6:13-24 (32)  Pattern matching may also be performed over multiple event streams, for example, using CQL. In one embodiment, this may be done by first performing a UNION of all the relevant input streams over which pattern matching is to be done with the result defining a view corresponding to an intermediate stream, and the pattern to be matched can be specified over this single intermediate stream. The pattern will then be matched to all the streams included in the view.
Srinivasan 13:36-43 As shown in Table B, events are received in sequence (as determined by the time stamp associated with each event) 
Srinivasan 4:8-14  (24) FIG. 1 is a simplified block diagram of a system 100 that may incorporate an embodiment of the present invention. As depicted in FIG. 1, system 100 comprises an events processing server 102 that is configured to process one or more incoming data or event streams 104, 106, and 108. Streams 104, 106, and 108 may be received from different sources including a database, a file, a messaging service, 
(255)  application of the selected technique enables processing of event streams for detecting Class A patterns to be performed efficiently (e.g., in terms of memory and processing resources used) and in a manner that is scalable.
Srinivasan 53:17-31  (475) Storage media … for storage and/or transmission of information such as computer readable instructions, data structures, program modules, or other data, including RAM, … which can be used to store or transmit the desired information and which can be accessed by a computer.
Srinivasan 52:35-48 (471) server 102 may be implemented using a system such as system 1900... Computer system 1900 may also include one or more storage devices 1908… such as disk drives…random access memory (RAM) 
Srinivasan 21:62-64 (144) For a Class A pattern, preferment rules are used to determine which matches to store. For example, all matches may be stored or only the longest match may be stored. 

identifying a plurality of meta-notable events by determining that a plurality of sets of notable events from the plurality of notable events satisfy a meta-notable event rule, wherein the meta-notable event rule defines: 
( plurality of sets of notable events = all matches may be stored Srinivasan 21:62-64
also See Srinivasan 21:48-56 ( “Even though a full pattern match has been found, in one embodiment, the full pattern match is not output and pattern matching continues to find the longest pattern match”), in other words, each of the matches that have been found and stored, even though it’s not the longest match, discloses a set of notable events that satisfy a meta-notable event rule
meta-notable event rule is disclosed by pattern to be managed
)
Srinivasan 21:48-56 (143) Since Q3 is the final state (underlined in Table H), it indicates a full pattern match for pattern AB*C. Even though a full pattern match has been found, in one embodiment, the full pattern match is not output and pattern matching continues to find the longest pattern match. The event received at seq #4 (price=10) results in symbols A, B, B and C being matched and causes the FSA to be in states Q0, Q1, Q2, and Q3. Since Q3 is the final state, it again indicates a match for pattern AB*C. 

Srinivasan 21:62-64 (144) For a Class A pattern, preferment rules are used to determine which matches to store. For example, all matches may be stored or only the longest match may be stored. 

a plurality of notable event states, wherein a notable event state of the plurality of notable event states corresponds to a correlation search of the plurality of correlation searches, and 
a plurality of transition rules, wherein a transition rule of the plurality of transition rules defines criteria for transitioning between two notable event states of the plurality of notable event states; and 
(lines 6-12 of Claim 21 describe a finite-state machine;
See Srinivasan see figure 3 which shows constructing the automaton 304 (the automaton is also called finite-state machine or finite-state automaton) and use the constructed automaton for pattern matching 306; the Srinivasan automaton is the finite state machine, which is called a meta-notable event rule in claim 1; meta-notable event rule, when applied to the plurality of notable events, is similar to applying a query.
see Srinivasan figures 11A-Figure 12, which show examples of finite state machines constructed from regular expressions; these regular expressions are taken from queries, such as the query shown in figure 8 of the Srinivasan reference; for example, figure 12C shows a state machine with a start state which is depicted by the number 0, and an end state which is depicted with the number 3; there are 4 states depicted in figure 12C which discloses a plurality of notable event states; the state machines are applied to incoming event data to determine whether there is a match between the transition rules with states and the incoming event data which means that the event states disclose correspond to a correlation search; this is described as pattern matching in figure 3, element 306 against timestamped event data; see 4:44 for the timestamps; the transition rules in Figure 12C are labeled with criteria for transitioning A, B, and C which are derived from the regular expression at Srinivasan 40:62-64, and the depicted transition rules in the Figure 12C disclose a plurality of transition rules
)
Srinivasan 5:22-23 patterns to be matched are specified using regular expressions. A regular expression is a string of symbols (also referred to as correlation names or correlation variables) representing the pattern to be matched.
Srinivasan 42:62-65 As with previously described queries, at compile time, an FSA is constructed for query 1300 and the constructed FSA then used to guide the pattern matching during runtime processing.
Srinivasan 6:31-43; Query 200 comprises a PATTERN component 203 that specifies a regular expression 204 identifying the pattern to be recognized in the event stream “Ticker” [the pattern is used to generate the states of the finite-state automaton and discloses event states corresponding to a correlation search]. The regular expression (A B C AB D) in query 200 comprises several symbols or correlation names. The alphabet set for a pattern comprises distinct symbols in the pattern. For the above example, the alphabet set is {A, B, C, D}. Each symbol in the alphabet corresponds to a variable name corresponding to a Boolean condition that is specified in the DEFINE component 206 of the query.
Srinivasan 13:36-43 As shown in Table B, events are received in sequence (as determined by the time stamp associated with each event) and have price attributes: 36, 35, 35, 34, 32, 32, 31, 45. The third row in Table B depicts, for each sequence time point, the symbols of the pattern that are matched by the price attribute of the event received at that time point.
Srinivasan 4:26-27 and 4:42-48; Timestamps define an order over the tuples in a data stream. An event stream can thus be considered to comprise a series of events, each
Srinivasan 11:59-65 (76) As part of the processing performed in 408, the events received in an event stream are processed and passed through a state machine corresponding to the automaton generated in 408. As part of the processing in 408, bindings are maintained after each received event to represent the state of pattern matches including partial matches that have the potential to turn into full matches.

causing display of a graphical representation of notable events from the plurality of sets of notable events, wherein the graphical representation includes an indication of a notable event that is included in at least two of the plurality of sets of notable events.  
( display of a graphical representation is interpreted to mean displaying a representation that involves graphics, which does not necessarily include displaying nodes and edges of a graph since the claim does not specifically require any edges or nodes to be displayed,
 See Srinivasan 21:63-64 which states that “all matches may be stored” therefore, for example, the events with price listed in the event column corresponding to respective sequence #s in table H are considered to be a sets of notable events; all of the events of sequences identified by the sequence # together  is considered to disclose plurality of sets of notable events.
This limitation requires displaying of at least 2 notable events that satisfy the meta-notable event rule; looking at table H at Srinivasan 21:25-40, sequence #4 includes the matching symbols ABC and corresponding bindings indicated by Q0, etc., and events corresponding to these bindings is displayed as output according to Srinivasan 21:59-60, thereby disclosing display of a graphical representation of notable events from the plurality of sets of notable events; also notice that the price event of 10 in sequence #3 is a notable event also found in the bindings of the sequence #4. each of sequence #3 and sequence #4, etc. is a successful match of events with prices to the FSA and each of sequence #3 and sequence #4 discloses a set of notable events, and therefore a notable event that is included in at least two of the plurality of sets of notable events is disclosed by the display of the price event of 10 from sequence #3, i.e., when the binding of sequence #4 is displayed that would include the display of the price event of 10 from sequence #3. Furthermore, Srinivasan 49:40 disclose “outputting an alert” and Srinivasan 52:41-42 discloses “one or more output devices 1906 (e.g., a display device”, therefore confirming that output as used in this reference means including displaying on the device.
)
Srinivasan 21:58-60 At this point, there is no longer match possible and the matched pattern at seq #4 is output. In this manner, pattern matching on the input events is performed.
Srinivasan 28:64-29:3  (251) determining matched bindings that are to be output. Full pattern matches, if any, that are to be output are then determined based upon whether or not the updated bindings comprise any bindings representing full pattern matches which are to be output (step 710). Events corresponding to the full pattern matches, if any, determined in 710 are then output (step 712).

	
As per claim 25, the rejection of claim 21 is incorporated herein. 
Srinivasan discloses storing a plurality of records representing the plurality of meta-notable events, and wherein each record of the plurality of records is a timestamped event including identifiers of notable events comprising a set of notable events associated with the record.  
(See Srinivasan 14:1-30 table C, each sequence # row discloses a record, and all the rows  corresponding to each of the sequence # together disclose plurality of records representing the plurality of meta-notable events.  In claim 25, the plurality of meta-notable events are the events that match the meta-notable event rule of claim 1, and such events that match the query pattern are disclosed by each sequence # row of table C.
identifiers of notable events= mapping information between a symbol and the event from the stream, as stored with the stored bindings. Srinivasan 14:59-65. Also see 14:47 “Each binding also identifies the events”
Srinivasan 21:63-64 states that “all matches may be stored” which discloses storing a plurality of records
a set of notable events associated with the record disclosed by the events that are mapped by the mapping information and corresponding to indicated matches under the matching symbol column of table C.
)
Srinivasan 35:39-40 (307) 1) ReadyToOutputList--This list contains all the potential output bindings in the increasing order of output timestamp.
Srinivasan 14:30-52 (89) The first column of Table C "Seq #" identifies the sequence number indicating the sequence time point at which an event is received. The second column "Price" indicates, for each sequence, the value of the price attribute of the event received in the event stream in that sequence point. The third column "Matched Symbol" identifies, for each event, the symbol or correlation name(s) that is matched by the event received at the sequence. Zero or more symbols may be matched by an event. The fourth column "State of FSA" identifies, for each sequence, the different states in which the FSA may be in after processing the event received in that sequence. The fifth column "Stored Bindings", for each sequence time point, indicates the bindings that are stored for a sequence time point after processing an event received at that sequence time point. Each binding identifies a partial or full match of the pattern to be matched. In Table C, each binding identifies a state representing a partial or full match after processing an event. Each binding also identifies the events that cause the binding to be in that state. For example, a binding Q2: (2,3,*,*,*,*) represents a partial match (of the first two symbols) of the pattern being matched and corresponds to the FSA being in state Q2 due to prices associated with events received in seq #2 and seq #3 
Srinivasan 14:59-65 (90) Bindings stored after processing an event encapsulate partial or full matches. A binding indicates that degree to which a pattern is matched as a result of the last received event. Bindings stored after receiving an event may indicate partial matches that have the potential of becoming longer matches or full matches. They contain the mapping information between a symbol and the event from the stream.

As per claim 26, the rejection of claim 21 is incorporated herein. 
Srinivasan discloses wherein the event data comprises a plurality of events, and wherein each event includes a portion of raw machine data created by one or more components of an information technology (IT) or security environment.  
(Srinivasan Figure 1 depicts an IT or security environment
raw machine data created by one or more components= series of temperature readings from a sensor such as 10.degree Srinivasan 4:44-46
wherein the event data comprises a plurality of events disclosed by the event data stored in memory or disk and accessed for queries Srinivasan 13:36-43; 53:17-31  
an information technology (IT) or security environment disclosed by Srinivasan Figure 1 including the database, messaging service, etc.
 )
Srinivasan 13:36-43 As shown in Table B, events are received in sequence (as determined by the time stamp associated with each event) 
Srinivasan 53:17-31  (475) Storage media … for storage and/or transmission of information such as computer readable instructions, data structures, program modules, or other data, including RAM, … which can be used to store or transmit the desired information and which can be accessed by a computer.
Srinivasan 4:7-16 (24) FIG. 1 is a simplified block diagram of a system 100 …comprises an events processing server 102 that is configured to process one or more incoming data or event streams 104, 106, and 108. Streams 104, 106, and 108 may be received from different sources including a database, a file, a messaging service, various applications, devices such as various types of sensors (e.g., RFID sensors, temperature sensors, etc.), tickers 
Srinivasan 4:19-20 (25) A data or event stream is a real-time sequence of events. Multiple events may be received in a stream. 
Srinivasan 4:44-46 For example, an event stream may comprise a series of temperature readings from a sensor such as 10.degree., 15.degree., 20.degree., etc. and associated time stamps. 




As per claim 29, the rejection of claim 21 is incorporated herein. 
Srinivasan discloses causing display of a graphical user interface (GUI) including graphical elements used to receive input specifying the plurality of notable event states and the plurality of transition rules.  
Srinivasan 5:4-18 (27) In the embodiment depicted in FIG. 1, server 102 comprises a pattern matching module 110 …… comprises a pattern input interface 112… Pattern input interface 112 provides an interface for receiving information specifying patterns to be matched in the event streams. Pattern input interface 112 may provide a graphical user interface that allows information to be entered specifying one or more patterns to be matched, a command line interface for specifying the patterns to be matched, or some other interface. A pattern to be matched may be specified by a user of server 102. 
Srinivasan 9:11-15 (58) In one embodiment, the pattern matching process comprises constructing a finite state automaton (FSA) for a given pattern and then using the constructed FSA to guide the pattern matching process during runtime as events are received.

As per claim 31, the rejection of claim 21 is incorporated herein. 
Srinivasan discloses wherein the plurality of transition rules links a start state to an end state based on transitions to one or more intermediate notable event states between the start state and the end state.  
(See, for example, Srinivasan figure 12 C for an example state machine which discloses a meta-notable event rule, and which shows the start state with the number 0 inside double circle, and end state which is the number 3 inside double circle, and the remaining states 1 and 2 inside the double circles disclosing intermediate notable event states, and arrows indicating the transitions.
).

As per claim 32, the rejection of claim 21 is incorporated herein. 
Srinivasan discloses executing the plurality of correlation searches on a periodic basis.   ( As the streams are coming in, the server 102 continually updates the memory/disk drive with the received event data from the streams and searches through the streams for events. Continuously searching the streams for events discloses executing… searches on a periodic basis
 )
Srinivasan 4:7-16 (24) FIG. 1 is a simplified block diagram of a system 100 …comprises an events processing server 102 that is configured to process one or more incoming data or event streams 104, 106, and 108
Srinivasan 53:17-31  (475) Storage media … for storage and/or transmission of information such as computer readable instructions, data structures, program modules, or other data, including RAM, … which can be used to store or transmit the desired  information and which can be accessed by a computer.
Srinivasan 4:55-5:1 (26) Server 102 is configured to perform various types of processing on the incoming streams. According to an embodiment of the present invention, server 102 is configured to detect patterns in the incoming event streams based upon the events in the event streams received by server 102. … Server 102 may also perform other types of processing on the input streams such as running other continuous queries on the incoming event streams, and other operations. 
Srinivasan 6:13-24 (32)  Pattern matching may also be performed over multiple event streams, for example, using CQL. In one embodiment, this may be done by first performing a UNION of all the relevant input streams over which pattern matching is to be done with the result defining a view corresponding to an intermediate stream, and the pattern to be matched can be specified over this single intermediate stream. The pattern will then be matched to all the streams included in the view.


As per claim 33, the rejection of claim 21 is incorporated herein. 
Srinivasan discloses wherein the plurality of correlation searches are executed to identify event data stored in a field-searchable data store matching one or more search criteria, and wherein the stored event data comprises timestamped events that include a portion of raw machine data created by a component of an information technology (IT) or security environment and which relates to activity of the component in the IT or security environment.   	( As the streams are coming in, the server 102 continually updates the memory/disk drive with the received event data from the streams and searches through the streams for events. Srinivasan 53:17-31.  Continuously searching the streams for events discloses identify event data stored in a data store 
field-searchable data store matching one or more search criteria disclosed by the data stream including tuples and other continuous queries on the incoming event streams Srinivasan 4:55-5:1
event data stored in a data store is the event data received and stored in the memory or the disk drive of server 102, the event data processed to generate the view Srinivasan 6:13-24 
raw machine data created by a component = series of temperature readings from a sensor such as 10.degree Srinivasan 4:44-46
the stored event data comprises timestamped events disclosed by the timestamp data stored in memory or disk and accessed for queries Srinivasan 13:36-43; 53:17-31  
an information technology (IT) or security environment disclosed by Srinivasan Figure 1 including the database, messaging service, etc.
 )
Srinivasan 4:7-18 (24) FIG. 1 is a simplified block diagram of a system 100 …comprises an events processing server 102 that is configured to process one or more incoming data or event streams 104, 106, and 108
system 100 comprises an events processing server 102 that is configured to process one or more incoming data or event streams 104, 106, and 108. Streams 104, 106, and 108 may be received from different sources including a database, a file, a messaging service,
various applications, devices such as various types of sensors (e.g., RFID sensors, temperature sensors, etc.), tickers, and the like. Server 102 may receive the streams via a push-based mechanism or a pull-based mechanism or other mechanisms.
Srinivasan 4:22-47 In one embodiment, a data stream is a sequence of ctuple,
timestamp pairs. The tuple refers to the data portion of a stream. A tuple may be considered as similar to a row in a table. The tuples in a stream have a schema. A stream can include multiple tuples. Timestamps define an order over the tuples in a data stream. The timestamps in a data stream may reflect an application's notion of time,
an event stream may comprise a series of temperature readings from a sensor Such
as 10°, 15, 20°, etc. and associated time stamps.
Srinivasan 53:17-31  (475) Storage media … for storage and/or transmission of information such as computer readable instructions, data structures, program modules, or other data, including RAM, … which can be used to store or transmit the desired  information and which can be accessed by a computer.
Srinivasan 4:55-5:1 (26) Server 102 is configured to perform various types of processing on the incoming streams. According to an embodiment of the present invention, server 102 is configured to detect patterns in the incoming event streams based upon the events in the event streams received by server 102. … Server 102 may also perform other types of processing on the input streams such as running other continuous queries on the incoming event streams, and other operations.
Srinivasan 6:13-24 (32)  Pattern matching may also be performed over multiple event streams, for example, using CQL. In one embodiment, this may be done by first performing a UNION of all the relevant input streams over which pattern matching is to be done with the result defining a view corresponding to an intermediate stream, and the pattern to be matched can be specified over this single intermediate stream. The pattern will then be matched to all the streams included in the view.
Srinivasan 13:36-43 As shown in Table B, events are received in sequence (as determined by the time stamp associated with each event) 
Srinivasan 4:44-46 For example, an event stream may comprise a series of temperature readings from a sensor such as 10.degree., 15.degree., 20.degree., etc. and associated time stamps. 


As per claim 35, the rejection of claim 21 is incorporated herein. 
Srinivasan discloses wherein the timestamped event data includes a portion of raw machine data created by one or more components of an information technology (IT) or security environment, and wherein the raw machine data includes at least one of: log data, wire data, server data, network data, file system information, registry information, or information related to one or more processes or services running on a device.  
( Figure 1 depicts an IT or security environment
raw machine data created by one or more components= series of temperature readings from a sensor such as 10.degree Srinivasan 4:44-46
an information technology (IT) or security environment disclosed by Figure 1 including the database, messaging service, etc.
wherein the raw machine data includes at least one of: log data.. or information related to one or more processes or services running on a device  disclosed by the temperature readings, RFID data, ticker data, etc.
 )
Srinivasan 13:36-43 As shown in Table B, events are received in sequence (as determined by the time stamp associated with each event) 
Srinivasan 4:44-46 For example, an event stream may comprise a series of temperature readings from a sensor such as 10.degree., 15.degree., 20.degree., etc. and associated time stamps. 
Srinivasan 4:7-16 (24) FIG. 1 is a simplified block diagram of a system 100 …comprises an events processing server 102 that is configured to process one or more incoming data or event streams 104, 106, and 108. Streams 104, 106, and 108 may be received from different sources including a database, a file, a messaging service, various applications, devices such as various types of sensors (e.g., RFID sensors, temperature sensors, etc.), tickers 


As per claim 36, the rejection of claim 21 is incorporated herein. 
Srinivasan discloses wherein at least one transition rule of the plurality of transition rules indicates a field value to be present in notable events satisfying the at least one transition rule.     ( See figure 12 C, which shows the transition rules for an example state machine, the transition rules are represented by the arrows from one state to another, for example the letter A next to one of the edges indicates a condition that must be satisfied; this condition is shown in figure 2 indicating that A.Price must be greater than or equal to 30 and A.Price must be less than or equal to 40; A.Price discloses the field value of claim 36
 )
Srinivasan 10:27-35 In one embodiment, the information received in 302 comprises a regular expression specifying the pattern to be matched. For example, a query may be received in 302 specifying a regular expression identifying a pattern to be matched. The information received in 302 may also identify the event streams that are to be analyzed to determine if events received in the event streams match the specified pattern. The information received in 302 may also specify predicates associated with the symbols in the regular expression.
See also 17:44 regular expression and 5:23 regular expression is a string of symbols representing pattern to be matched

As per claim 37, the rejection of claim 21 is incorporated herein. 
Srinivasan discloses wherein at least one transition rule of the plurality of transition rules indicates a field value to be matched between a first notable event matched by the at least one transition rule and a second notable event matched by a previous transition rule.  ( See 
Srinivasan Figure 2, (C.price <= PREV(C.price)) is a rule involving matching a previous event [second notable event] and (B.price < PREV(B.price) is a rule matching 1st event
Srinivasan figure 12 D, which shows the transition rules for an example state machine, the transition rules are represented by the arrows from one state to another, for example the letter A next to one of the edges indicates a condition that must be satisfied; this condition is shown in figure 2 indicating that A.Price must be greater than or equal to 30 and A.Price must be less than or equal to 40; A.Price discloses the field value of claim 37;
at least one transition rule can be disclosed by the transition from state 1 back to state 1 in Srinivasan figure 12 D
a field value to be matched can be disclosed by A.Price
a previous transition rule can be disclosed by the transition from state 3 to state 1;
the second notable event, when matching the previous transition rule, would cause the state machine to go from state 3 to state 1, and the first notable event, when matching the at least one transition rule, would cause the Srinivasan state machine to go from state 1 back to state 1 in Srinivasan figure 12 D;
the first notable event and the second notable event can be any notable events that match their respective rules
)

As per claim 38, the claim(s) is/are directed to a computer-readable storage medium with limitations which correspond to limitations of claim 21, and is/are rejected for the reasons detailed with respect to claim 21.  Claim 38 also recites A non-transitory computer-readable storage medium storing instructions which, when executed by one or more processors, cause performance of operations comprising:
Srinivasan discloses A non-transitory computer-readable storage medium storing instructions which, when executed by one or more processors, cause performance of operations comprising:
Srinivasan 10:15-124 (63) FIG. 3 is a simplified flowchart 300 depicting a method of performing pattern matching on an event stream according to an embodiment of the present invention. In one embodiment, the method depicted in FIG. 3 is performed by pattern matching module 110 depicted in FIG. 1. The processing depicted in FIG. 3 may be performed by software (e.g., code, program, instructions) executed by a processor, in hardware, or combinations thereof The software may be stored in a computer-readable storage medium. 


As per claim 39, the claim(s) is/are directed to a computer-readable storage medium with limitations which correspond to limitations of claim 22, and is/are rejected for the reasons detailed with respect to claim 22.  
As per claim 40, the claim(s) is/are directed to a computer-readable storage medium with limitations which correspond to limitations of claim 23, and is/are rejected for the reasons detailed with respect to claim 23.  


.

Claim Rejections - 35 USC § 103
	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
	
	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.


Claims 22, 23, and 30 is/are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan in view of Dwarakanath et al. U.S. Publication 20150205707 (hereinafter “Dwarakanath”).
As per claim 22, the rejection of claim 21 is incorporated herein. 
Srinivasan discloses determining partial matches and full matches of events, and storing all matches for events, and outputting the matches which include event found in multiple bindings
( see Srinivasan table C 14:1-29; which depicts the matching of the finite state automaton to events represented by the price column, for example, sequence #6, there is an event where the price is 31 that results in a partial binding in Q4 and a partial binding in Q5, thus, one event where the price is 31 can be mapped to 2 different bindings. Q4 discloses a first set of notable events satisfying a meta-notable event rule and Q5 discloses a 2nd set of notable events satisfying a meta-notable event rule and both Q4, Q5 have relationship to the number 31 price and that information is stored by the server. The only thing missing is how to generate the binding information  as a graph; note that the claim does not require actually displaying a graph and only requires displaying the notable event node, the notable event node having certain characteristics such as two or more inbound edges that are not required by the claim to be displayed).
Srinivasan 21:62-64 (144) For a Class A pattern, preferment rules are used to determine which matches to store. For example, all matches may be stored or only the longest match may be stored. 
Srinivasan 21:58-60 At this point, there is no longer match possible and the matched pattern at seq #4 is output. In this manner, pattern matching on the input events is performed.
Srinivasan 28:64-29:3  (251) determining matched bindings that are to be output. Full pattern matches, if any, that are to be output are then determined based upon whether or not the updated bindings comprise any bindings representing full pattern matches which are to be output (step 710). Events corresponding to the full pattern matches, if any, determined in 710 are then output (step 712).

	However, Srinivasan does not expressly disclose 
wherein the graphical representation of notable events from the plurality of sets of notable events includes a notable event node, and wherein the notable event node is associated with two or more inbound edges from other notable event nodes, and wherein the two or more inbound edges indicate that a notable event corresponding to the notable event node is included in two or more of the plurality of sets of notable events.  
Dwarakanath discloses a technique for generating a directed graph with multiple inbound edges from a node to indicate various relationships between data and displaying information from the graph
(see Dwarakanath figure 7 which shows nodes that have multiple inbound edges to represent various relationships between data; see figure 2 which shows GUI 226 displaying information from the graph as a test path; the notable event node of the claim as part of the  graphical representation can be disclosed by Dwarakanath displaying the test path,  as in Dwarakanath figure 2, which shows multiple inbound edges to a node and multiple outbound edges from a node
).
Dwarakanath [0046] Accordingly, the flow graph circuitry 331 may generate a flow graph 332 through splitting of internal nodes in the acyclic transform graph 322 and assign a respective lower flow bound and edge capacity for edges in the flow graph 332. The particular flow graph 332 shown in FIG. 7 may be generated by the flow graph circuitry 331 for the particular acyclic transform graph 322, which also depicts lower flow bounds determined by the flow graph circuitry 331 for edges of the flow graph 332. As seen in the particular flow graph 332 shown in FIG. 7, the edges linking new vertices (e.g., p0+ and p0++ as well as v3+ and v3++ as just two examples) are assigned a lower flow bound of 1 by the flow graph circuitry 331 while other edges are assigned a lower flow bound of 0. For reference, the flow graph 332 generated by the flow graph circuitry 331 may be referred to as G.sub.4=(V.sub.4, E.sub.4, L, C), where L is the set of lower flow bounds and C is the set of edge capacities.
Dwarakanath [0023] FIG. 3 shows an example of processing circuitry 221 that the test generation system 102 may implement. The processing circuitry 221 may perform a series of processing steps to generate the test path set 110. In FIG. 3, the processing circuitry 221 includes transformation circuitry 301, system path determination circuitry 311, acyclic transform graph circuitry 321, flow graph circuitry 331, and flow graph processing circuitry 341.
Dwarakanath [0060] The flow graph processing circuitry 341 may determine the test path set 110 from the flow graph 332 with a determined minimum flow.

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Srinivasan with the technique for generating a directed graph with multiple inbound edges from a node to indicate various relationships and displaying information from the graph of Dwarakanath to include 
wherein the graphical representation of notable events from the plurality of sets of notable events includes a notable event node, and wherein the notable event node is associated with two or more inbound edges from other notable event nodes, and wherein the two or more inbound edges indicate that a notable event corresponding to the notable event node is included in two or more of the plurality of sets of notable events.  
One of ordinary skill in the art would have made this modification to improve the ability of the system to present a simple to understand visual depiction of the results from the query, including providing information indicating that the events may be found in multiple bindings. The system of the primary reference can be modified to generate graphs using the information stored in Srinivasan tables regarding the bindings and display information from the graphs.

As per claim 23, the rejection of claim 21 is incorporated herein. 
Srinivasan discloses determining partial matches and full matches, and storing all matches for events, and outputting the matches which include event found in multiple bindings
( see Srinivasan table C 14:1-29; which depicts the matching of the finite state automaton to events represented by the price column, for example, sequence #6, there is an event where the price is 31 that results in a partial binding in Q4 and a partial binding in Q5, thus, one event where the price is 31 can be mapped to 2 different bindings. Q4 discloses a first set of notable events satisfying a meta-notable event rule and Q5 discloses a 2nd set of notable events satisfying a meta-notable event rule and both Q4, Q5 have relationship to the number 31 price and that information is stored by the server. What is missing is how to generate the binding information  as a graph; note that the claim does not require actually displaying a graph and only requires displaying the notable event node, the notable event node having certain characteristics such as two or more outbound edges that are not required by the claim to be displayed).
 Srinivasan 21:62-64 (144) For a Class A pattern, preferment rules are used to determine which matches to store. For example, all matches may be stored or only the longest match may be stored. 

	However, Srinivasan does not expressly disclose 
wherein the graphical representation of the notable events from the plurality of sets of notable events includes a notable event node, and wherein the Inventor(s): Lucas Murphey et al.Examiner: Not yet assigned Application No.: 16/944,460- 3/8- Art Unit: Not yet assignednotable event node is associated with two or more outbound edges to other notable event nodes, and wherein the two or more outbound edges indicate that a notable event corresponding to the notable event node is included in two or more of the plurality of sets of notable events.  
Dwarakanath discloses a technique for generating a directed graph with multiple outbound edges from a node to indicate various relationships between data and displaying information from the graph; 
(see Dwarakanath figure 7 which shows nodes that have multiple outbound edges to represent various relationships between data; see figure 2 which shows GUI 226 displaying information from the graph as a test path
the notable event node of the claim as part of the  graphical representation can be disclosed by Dwarakanath displaying the test path,  as in Dwarakanath figure 2, which shows multiple inbound edges to a node and multiple outbound edges from a node generated based on underlying data. Such a notable event node can be generated
).
 Dwarakanath [0046] Accordingly, the flow graph circuitry 331 may generate a flow graph 332 through splitting of internal nodes in the acyclic transform graph 322 and assign a respective lower flow bound and edge capacity for edges in the flow graph 332. The particular flow graph 332 shown in FIG. 7 may be generated by the flow graph circuitry 331 for the particular acyclic transform graph 322, which also depicts lower flow bounds determined by the flow graph circuitry 331 for edges of the flow graph 332. As seen in the particular flow graph 332 shown in FIG. 7, the edges linking new vertices (e.g., p0+ and p0++ as well as v3+ and v3++ as just two examples) are assigned a lower flow bound of 1 by the flow graph circuitry 331 while other edges are assigned a lower flow bound of 0. For reference, the flow graph 332 generated by the flow graph circuitry 331 may be referred to as G.sub.4=(V.sub.4, E.sub.4, L, C), where L is the set of lower flow bounds and C is the set of edge capacities.
Dwarakanath [0023] FIG. 3 shows an example of processing circuitry 221 that the test generation system 102 may implement. The processing circuitry 221 may perform a series of processing steps to generate the test path set 110. In FIG. 3, the processing circuitry 221 includes transformation circuitry 301, system path determination circuitry 311, acyclic transform graph circuitry 321, flow graph circuitry 331, and flow graph processing circuitry 341.
Dwarakanath [0060] The flow graph processing circuitry 341 may determine the test path set 110 from the flow graph 332 with a determined minimum flow.

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Srinivasan with the technique for generating a directed graph with multiple outbound edges from a node to indicate various relationships and displaying information from the graph of Dwarakanath to include 
wherein the graphical representation of the notable events from the plurality of sets of notable events includes a notable event node, and wherein the Inventor(s): Lucas Murphey et al.Examiner: Not yet assigned Application No.: 16/944,460- 3/8- Art Unit: Not yet assignednotable event node is associated with two or more outbound edges to other notable event nodes, and wherein the two or more outbound edges indicate that a notable event corresponding to the notable event node is included in two or more of the plurality of sets of notable events.  
One of ordinary skill in the art would have made this modification to improve the ability of the system to present a simple to understand visual depiction of the results from the query, including providing information indicating that the events may be found in multiple bindings. The system of the primary reference can be modified to generate graphs using the information stored in Srinivasan tables regarding the bindings and display information from the graphs.

As per claim 30, the rejection of claim 21 is incorporated herein. 
Srinivasan discloses determining partial matches and full matches, and storing all matches for events, and outputting the matches which include event found in multiple bindings that indicates a relationship between the bindings
( set of notable events disclosed by a partial or full binding
see Srinivasan table C 14:1-29; which depicts the matching of the finite state automaton to events represented by the price column, for example, sequence #6, there is an event where the price is 31 that results in a partial binding in Q4 and a partial binding in Q5, thus, one event where the price is 31 can be mapped to 2 different bindings. Q4 discloses a first set of notable events satisfying a meta-notable event rule and Q5 discloses a 2nd set of notable events satisfying a meta-notable event rule and both Q4, Q5 have relationship to the number 31 price and that information is stored by the server, and indicates a relationship between Q4, Q5 bindings. The only thing missing is how to generate the graph representing the relationship among the bindings;).
 Srinivasan 21:62-64 (144) For a Class A pattern, preferment rules are used to determine which matches to store. For example, all matches may be stored or only the longest match may be stored. 
Srinivasan 28:64-29:3  (251) determining matched bindings that are to be output. Full pattern matches, if any, that are to be output are then determined based upon whether or not the updated bindings comprise any bindings representing full pattern matches which are to be output (step 710). Events corresponding to the full pattern matches, if any, determined in 710 are then output (step 712).

	However, Srinivasan does not expressly disclose 
wherein graphical representation further includes a graph showing relationships among the plurality of sets of notable events satisfying the meta-notable event rule.  
Dwarakanath discloses a technique for generating a directed graph to indicate various relationships between data and displaying information from the graph; 
(see Dwarakanath figure 7 which shows nodes that have edges to represent various relationships between data; see figure 2 which shows GUI 226 displaying information from the graph as a test path
).
 Dwarakanath [0046] Accordingly, the flow graph circuitry 331 may generate a flow graph 332 through splitting of internal nodes in the acyclic transform graph 322 and assign a respective lower flow bound and edge capacity for edges in the flow graph 332. The particular flow graph 332 shown in FIG. 7 may be generated by the flow graph circuitry 331 for the particular acyclic transform graph 322, which also depicts lower flow bounds determined by the flow graph circuitry 331 for edges of the flow graph 332. As seen in the particular flow graph 332 shown in FIG. 7, the edges linking new vertices (e.g., p0+ and p0++ as well as v3+ and v3++ as just two examples) are assigned a lower flow bound of 1 by the flow graph circuitry 331 while other edges are assigned a lower flow bound of 0. For reference, the flow graph 332 generated by the flow graph circuitry 331 may be referred to as G.sub.4=(V.sub.4, E.sub.4, L, C), where L is the set of lower flow bounds and C is the set of edge capacities.
Dwarakanath [0023] FIG. 3 shows an example of processing circuitry 221 that the test generation system 102 may implement. The processing circuitry 221 may perform a series of processing steps to generate the test path set 110. In FIG. 3, the processing circuitry 221 includes transformation circuitry 301, system path determination circuitry 311, acyclic transform graph circuitry 321, flow graph circuitry 331, and flow graph processing circuitry 341.
Dwarakanath [0060] The flow graph processing circuitry 341 may determine the test path set 110 from the flow graph 332 with a determined minimum flow.

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Srinivasan with the technique for generating a graph to indicate various relationships and displaying information from the graph of Dwarakanath to include 
wherein graphical representation further includes a graph showing relationships among the plurality of sets of notable events satisfying the meta-notable event rule.  
One of ordinary skill in the art would have made this modification to improve the ability of the system to present a simple to understand visual depiction of the results from the query, including providing information indicating that the events may be found in multiple bindings and the relationships between the bindings. The system of the primary reference can be modified to generate graphs using the information stored in Srinivasan tables regarding the bindings and display information from the graphs. For example, the relationships among the bindings of Srinivasan table C can be displayed according to the same technique as displaying the test path, as in Dwarakanath figure 2, which shows a graph representing relationships among data on the user interface 222, thereby visually presenting the relationship information between the data.

Claim 24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan in view of Dwarakanath, further in view of Booth et al. Testing for the Consecutive Ones Property, Interval Graphs, and Graph Planarity Using PQ-Tree Algorithms, 1976, page 345 (hereinafter “Booth”).
As per claim 24, the rejection of claim 21 is incorporated herein. 
Srinivasan discloses data including a price event that is included in at least one of the bindings
( a notable event is an event that forms one of the bindings, such as the event with price 31 in table C, 14:1-29, the event appearing in the multiple bindings such as Q4,Q5
) 
However, Srinivasan does not expressly disclose
wherein the graphical representation of the notable events from the plurality of sets of notable events includes a notable event node, and wherein the method further comprises shading the notable event node based on a number of inbound links associated with the notable event node.  
Dwarakanath discloses a technique for generating a directed graph with edges and nodes to indicate various relationships between data and displaying information from the graph; 
(see Dwarakanath figure 7 which shows graph edges and nodes; see figure 2 which shows GUI 226 displaying information from the graph as a test path including nodes representing underlying data
the notable event node of the claim as part of the  graphical representation can be disclosed by Dwarakanath displaying the test path,  as in Dwarakanath figure 2, which shows multiple inbound edges to a node and multiple outbound edges from a node
).
 Dwarakanath [0046] Accordingly, the flow graph circuitry 331 may generate a flow graph 332 through splitting of internal nodes in the acyclic transform graph 322 and assign a respective lower flow bound and edge capacity for edges in the flow graph 332. The particular flow graph 332 shown in FIG. 7 may be generated by the flow graph circuitry 331 for the particular acyclic transform graph 322, which also depicts lower flow bounds determined by the flow graph circuitry 331 for edges of the flow graph 332. As seen in the particular flow graph 332 shown in FIG. 7, the edges linking new vertices (e.g., p0+ and p0++ as well as v3+ and v3++ as just two examples) are assigned a lower flow bound of 1 by the flow graph circuitry 331 while other edges are assigned a lower flow bound of 0. For reference, the flow graph 332 generated by the flow graph circuitry 331 may be referred to as G.sub.4=(V.sub.4, E.sub.4, L, C), where L is the set of lower flow bounds and C is the set of edge capacities.
Dwarakanath [0023] FIG. 3 shows an example of processing circuitry 221 that the test generation system 102 may implement. The processing circuitry 221 may perform a series of processing steps to generate the test path set 110. In FIG. 3, the processing circuitry 221 includes transformation circuitry 301, system path determination circuitry 311, acyclic transform graph circuitry 321, flow graph circuitry 331, and flow graph processing circuitry 341.
Dwarakanath [0060] The flow graph processing circuitry 341 may determine the test path set 110 from the flow graph 332 with a determined minimum flow.

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Srinivasan with the technique for generating a directed graph with edges and nodes to indicate various relationships between data and displaying information from the graph of Dwarakanath to include 
wherein the graphical representation of the notable events from the plurality of sets of notable events includes a notable event node.
One of ordinary skill in the art would have made this modification to improve the ability of the system to display a graph visualization of the bindings for the user, the bindings including the matching events. The system of the primary reference can be modified to generate a directed graph based on underlying data, such as the events with price data and bindingsfrom table C, 14:1-29, of the Srinivasan base reference.

	However, the combination of Srinivasan and Dwarakanath does not expressly disclose 
wherein the method further comprises shading the notable event node based on a number of inbound links associated with the notable event node.  
Booth discloses shading a node to indicate a number of edges connected to the node that has certain properties
(see middle of page 345, figure 9, the figure labeled “replacement”,  which teaches partially shading a node to indicate some child nodes are empty and some child nodes are full, meaning that only a partial number of edges leads to empty child nodes, and not all edges leads to empty child nodes, which means that the shading of the node provides information about the number of edges leading to empty child nodes
).
Booth Page 345 If a P-node has some children which are labeled empty and some children which are labeled full then the P-node must be designated singly partial. This is a new label, different from either empty or full, which can only appear on an internal node. The template for this case is shown in Fig. 9. Partial nodes are partially shaded, with the shading indicating which children are full.

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Srinivasan and Dwarakanath with the technique for shading a node according to neighboring information of Booth to include 
wherein the method further comprises shading the notable event node based on a number of inbound links associated with the notable event node.  
One of ordinary skill in the art would have made this modification to improve the ability of the system to present graph information visually that is easy to understand. The system of the primary reference can be modified to shade nodes according to the properties of edges and neighbors. One of ordinary skill in the art would shade a node based on a number of inbound links because the graph generated according to the teaching of the Dwarakanath secondary reference includes inbound and outbound links, including multiple links, and shading can provide visually easy to grasp information regarding the number of links/neighbors.

Claims 27-28 is/are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan in view of Cochenour et al. U.S. Publication 20150172300 (hereinafter “Cochenour”).
As per claim 27, the rejection of claim 21 is incorporated herein. 
	However, Srinivasan does not expressly disclose 
wherein at least one of the plurality of notable events indicates a potential security threat involving a computing device of an information technology (IT) or security environment.  
Cochenour discloses receiving a stream that includes an event indicating a security threat involving a computing device in a security environment
Cochenour [0048] The malware identification platform 103 is configured to detect and react to various system events …. Such system events may be early indicators associated with data theft at the hands of malware. 
Cochenour [0057  malware remediation platform 107 collects and analyzes real-time received streams of behavioral telemetry from each protected UE 101  

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Srinivasan with the technique for receiving a stream that includes an event indicating a security threat involving a computing device of Cochenour to include 
wherein at least one of the plurality of notable events indicates a potential security threat involving a computing device of an information technology (IT) or security environment.  
One of ordinary skill in the art would have made this modification to improve the ability of the system to monitor the IT environment for threats. The system of the primary reference can be modified to add computing devices to the IT environment that generate events indicating potential malware threats and to distribute streams including such events to the server 102


 As per claim 28, the rejection of claim 21 is incorporated herein. 
	Srinivasan discloses detecting anomalies based on events that that satisfy the states of a finite state automaton and identifying the object with anomaly based on the events satisfying the final state automaton
(315) Pattern matching using regular expressions over continuously arriving events of an event stream, as described above, has wide applicability in various fields and applications. Examples include … RFID-based tracking and monitoring, the pattern matching techniques described above may be used to track valid paths of shipments and detect anomalies.
However, Srinivasan does not expressly disclose 
wherein a meta-notable event of the plurality of meta- notable events indicates a potential security threat involving a plurality of computing devices of an information technology (IT) or security environment, and wherein the plurality of computing devices are identified by a set of notable events corresponding to the meta-notable event.  
Cochenour discloses receiving a stream that includes an event indicating a security threat involving a computing device in a security environment
Cochenour [0048] The malware identification platform 103 is configured to detect and react to various system events …. Such system events may be early indicators associated with data theft at the hands of malware. 
Cochenour [0057]  malware remediation platform 107 collects and analyzes real-time received streams of behavioral telemetry from each protected UE 101  

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Srinivasan with the technique for receiving a stream that includes an event indicating a security threat involving a computing device of Cochenour to include 
wherein a meta-notable event of the plurality of meta- notable events indicates a potential security threat involving a plurality of computing devices of an information technology (IT) or security environment, and wherein the plurality of computing devices are identified by a set of notable events corresponding to the meta-notable event.  
One of ordinary skill in the art would have made this modification to improve the ability of the system to monitor the IT environment for threats. The system of the primary reference can be modified to add computing devices to the IT environment that generate events indicating potential malware threats and to distribute streams including such events to the server 102

Claim 34 is/are rejected under 35 U.S.C. 103 as being unpatentable over Srinivasan in view of U.S. Patent No. 9514175 (hereinafter “Swan”).
As per claim 34, the rejection of claim 21 is incorporated herein. 
Srinivasan discloses a data store 
(See Srinivasan figure 18 application database, metadata database 1814, 1816; 
52:17-18 System environment 1800 may also include one or more databases 1814, 1816.).
	However, Srinivasan does not expressly disclose 
receiving raw machine data from components of an information technology or security environment; segmenting the received raw machine data into events, each event containing a portion of the collected raw machine data; and for each event, determining a time stamp for the event, associating the time stamp with the event, and storing the event in a field-searchable data store.
Swan discloses receiving raw machine data from components of an information technology or security environment; segmenting the received raw machine data into events, each event containing a portion of the collected raw machine data; and for each event, determining a time stamp for the event, associating the time stamp with the event, and storing the event in a field-searchable data store.
(see Swan figure 2 which shows a data store time-based indexes 225)
5:20-24 FIG. 2 illustrates one approach 200 to architecting a TSSE. Time series data streams 205 arrive synchronously or asynchronously from multiple sources, 
Swan 5:42-56 FIG. 2 depicts an example TSSE 200 with four major processes: time stamp process 210, index process 220, search process 230 and presentation process 240. The time stamp process 210 turns raw time series data 205 into time stamped events 215 to be fed to the indexing process 220. Following our information processing example, raw logs 205 from multiple web servers, application servers and databases might be processed by the time stamp process 210 to identify individual events 215 within the various log formats and properly extract time and other event data. The event data 215 is used by the index process 220 to build time bucketed indices 225 of the events. These indices 225 are utilized by the search process 230 which takes searches 255 from users or systems, decomposes the searches, and then executes a search across a set of indices

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Srinivasan with the grouping and event generating technique of Swan to include 
receiving raw machine data from components of an information technology or security environment; segmenting the received raw machine data into events, each event containing a portion of the collected raw machine data; and for each event, determining a time stamp for the event, associating the time stamp with the event, and storing the event in a field-searchable data store.
One of ordinary skill in the art would have made this modification to improve the ability of the system, e.g., server 102, to generate useful events for search. This allows the system to identify the useful data and create events based on the useful data.



	


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HOWARD H LOUIE whose telephone number is 571-272-0036.  The examiner can normally be reached on Monday-Friday 9 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung W. Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HOWARD H. LOUIE/Examiner, Art Unit 2494                                                                                                                                                                                                        
/JUNG W KIM/Supervisory Patent Examiner, Art Unit 2494