Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION           
            This action is response to the communication filed on April 05, 2021. Claims 1-20 are pending. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Lin et al. (Pub. No. : US 20180165173 A1) in the view of Vemulapati et al. (Patent No. : US 10713143 B1)

As to claim 1 Lin teaches an improved log/event-message system, within a distributed computer system, that collects log/event messages from log/event-message sources within the distributed computer system, automatically associates log-source tags with those collected log/event messages for which log-source mappings have been learned, stores the collected log/event messages, and provides query-based access to the stored log/event-messages, the log/event-message system comprising: 
one or more message collectors, incorporated within one or more computer systems, each having one or more processors and one or more memories (paragraph [0070]: computer system 1112), which each 
receives log/event messages (paragraphs [0070]: collects and stores the received event messages in a data-storage device or appliance 1118 as large event-message log files 1120), 
processes the received log/event messages (paragraph [0073]: process event messages as they are received), and 
transmits the log/event messages to one or more downstream processing components, including one or more message-ingestion-and-processing systems (paragraph [0073], [0074]: transform the received event messages into event records wherein the downstream analysis and interpretation systems directly acquire relevant parameters and an event-message type from an event record); and 
the one or more message-ingestion-and-processing systems, incorporated within one or more computer systems, each having one or more processors and one or more memories (paragraph [0077]: event-message-clustering system), which each 
receives log/event messages from one or more of the one or more message collectors (paragraph [0077]: Rectangles 1402-1406 represent incoming event messages),
processes the received log/event messages (paragraph [0077]: processes each received event message), and 
transmits the log/event messages to one or more downstream processing components, including a log/event-message query system (paragraph [0077]: transform the received event message into an event record and determines to which cluster to assign the event record wherein the event records may be accessed by downstream event-analysis and event-interpretation systems).
Lin does not explicitly disclose mappings have been learned as recited in the preamble.  However, similar art Vemulapati teaches a machine-learning model may be configured to make inferences, cluster data, and/or perform classification based on a particular set of input parameters. The input parameters of the machine-learning model may include log information from the log sources mapped to the model identifiers (Column 5 lines 61-66). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Lin by adding above limitation as taught by Vemulapati to improve system performance based on log information (Vemulapati, abstract).

As to claim 2 Lin together with Vemulapati teaches a log/event-message system according to claim 1. Lin teaches wherein log/event-message sources include:
message-generation-and-reporting components of hardware components of the distributed computer system, including network routers and bridges, network-attached storage devices, network-interface controllers, and other hardware components and devices (paragraph [0070]); and
message-generation-and-reporting components within computer-instruction-implemented components of the distributed computer system, including virtualization layers, operating systems, and applications running within servers and other types of computer systems (paragraphs [0046], [0053]-[0069]).

As to claim 3 Lin together with Vemulapati teaches a log/event-message system according to claim 1. Lin teaches wherein log/event-messages include text, alphanumeric values, and/or numeric values that represent various types of information, including notification of completed actions, errors, anomalous operating behaviors and conditions, various types of computational events, warnings, and other such information (paragraphs [0003], [0072]-[0073], [0076]).

As to claim 4 Lin together with Vemulapati teaches a log/event-message system according to claim 1. Lin teaches wherein the log/event-message system automatically associates log-source tags with the collected log/event messages using multiple types of information (paragraph [0073]), the multiple types of information including: 
a mapping of log/event messages to event types (paragraphs [0132]-[0133], [0091]); 
log-source tags associated with log/event messages prior to an initial learning phase (paragraph [0095], [0080]);
clustering of event types unmapped to a verified log source (paragraph [00149]); 
log/event-message field definitions provided by content packs (paragraph [0095], [0080]). and 
Vemulapati teaches machine-learned mappings between information derived from event types and log sources (Column 5 lines 61-66).

As to claim 5 Lin together with Vemulapati teaches a log/event-message system according to claim 4. Lin teaches wherein the log/event-message system automatically determines an event type for a received log/event message by: 
extracting non-variable field values from the received log/event message (paragraph [0090]); and 
identifying an event type for which the extracted non-variable fields most closely matches the non-variable fields extracted from the log/event messages of the event type (paragraph [0074], [0111]).

As to claim 6 Lin together with Vemulapati teaches a log/event-message system according to claim 5. Lin teaches wherein the log/event-message system associates an event type with a group of log/event messages by: 
representing each of a set of received log/event messages by a vector generated from the non-variable fields extracted from the log/event messages (paragraph [0086]); 
clustering the vectors (paragraph [0086]); and 
assigning a unique event type to each cluster of vectors (paragraph [0090]).

As to claim 7 Lin together with Vemulapati teaches a log/event-message system according to claim 4. Vemulapati teaches wherein the log-source tags associated with log/event messages prior to an initial learning phase are generated by one of: 
human developers, administrators, managers, and other users of the distributed computer system (Column 5 lines 61-66); 
one or more external log/event-message systems (column 6 lines 21-28); and 
by configured message collectors and/or message-processing-and-ingestion systems within a controlled test environment (Column 4 lines 2-7).

As to claim 8 Lin together with Vemulapati teaches a log/event-message system according to claim 4. Lin teaches 
clustering event types unmapped to a verified log source by generating a feature vector for each event type unmapped to a verified log source from an example log/event message of the event type, and clustering the feature vectors using a distance metric for feature vectors (paragraph [0085]-[0086]); 
assigning a log source to each event-type cluster (paragraph [0085]-[0086]); 
mapping the event types in each cluster to the log source assigned to the cluster (paragraph []); and 
mapping log/event messages of the event type to the log source to which the vent type is mapped (paragraph [0085]-[0086], [0090]).

As to claim 9 Lin together with Vemulapati teaches a log/event-message system according to claim 8. Lin teaches 
applying log/event-message field definitions provided by content packs to associate each unmapped event type to a content pack (paragraph [0095]); and 
assigning a log source to each event-type cluster by determining a likely content pack for each event-type cluster, and assigning to each event-type cluster a log source associated with the determined likely content pack for the event-type cluster (paragraph [0095]).

As to claim 10 Lin together with Vemulapati teaches a log/event-message system according to claim 9. Lin teaches wherein a likely content pack for an event-type cluster is a content pack associated with as many or more unmapped event types in the event-type cluster than any other content pack (paragraph [0095]).

As to claim 11 Lin together with Vemulapati teaches a log/event-message system according to claim 4. Vemulapati teaches 
training a machine-learning classifier to map feature vectors, generated from sample log/event messages for event types, to log sources (Column 5 lines 61-66); 
receiving output from the machine-learning classifier (Column 11 lines 22-29); and
Lin teaches inputting a feature vector generated from a sample log/event message for an unmapped event type (paragraph [0085]-[0086]) to the trained machine-learning classifier;  
when the output indicates that the input feature vector can be assigned to a log source, associating the log source with log/event messages of the event type (paragraphs [0085]-[0090]).

As to claim 12 Lin together with Vemulapati teaches a log/event-message system according to claim 11. Lin teaches wherein the output includes a log source and a probability; and wherein the output indicates that the input feature vector can be assigned to the log source when the probability is greater than a threshold value (paragraph [0085]-[0090]).

As to claim 1 Lin teaches a method that improves a log/event-message system within a distributed computer system that collects log/event messages from log/event-message sources within the distributed computer system, stores the collected log/event messages, and provides query-based access to the stored log/event-messages, the method comprising: 
log sources and event types (paragraphs [0074], [0095]).
Lin does not explicitly disclose but and Vemulapati teaches learning mappings, by the log/event-message system (Column 5 lines 61-66) and automatically associating, by the log/event-message system, log-source tags containing log-source indications with those collected log/event messages having event types for which log-source mappings have been learned (column 11 line 22-29). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Lin by adding above limitation as taught by Vemulapati to improve system performance based on log information (Vemulapati, abstract).

As to claim 14 Lin together with Vemulapati teaches a method according to claim 13. Vemulapati teaches wherein the log/event-message system learns mappings between log sources and event types using multiple types of information, the multiple types of information including: 
a mapping of log/event messages to event types (Column 5 lines 61-66); 
log-source tags associated with log/event messages prior to an initial learning phase (Column 5 lines 61-66); 
machine-learned mappings between information derived from event types and log sources (column 11 line 22-29).
Line teaches clustering of event types unmapped to a verified log source (paragraph [0077], [0090]); 
log/event-message field definitions provided by content packs (paragraph [0095]).

As to claim 15 Lin together with Vemulapati teaches a method according to claim 14. Lin teaches wherein the log/event-message system automatically determines an event type for a received log/event message by extracting non-variable field values from the received log/event message, and identifying an event type for which the extracted non-variable fields most closely matches the non-variable fields extracted from the log/event messages of the event type (paragraph [0090]); and 
wherein the log/event-message system associates an event type with a group of log/event messages by representing each of a set of received log/event messages by a vector generated from the non-variable fields extracted from the log/event messages, clustering the vectors, and assigning a unique event type to each cluster of vectors (paragraph [0085]-[0092]).

As to claim 16 Lin together with Vemulapati teaches a method according to claim 14. Vemulapati teaches wherein the log-source tags associated with log/event messages prior to an initial learning phase are generated by one of: 
human developers, administrators, managers, and other users of the distributed computer system (Column 5 lines 61-66); 
one or more external log/event-message systems; and by configured message collectors and/or message-processing-and-ingestion systems within a controlled test environment (column 6 lines 21-28).

As to claim 17 Lin together with Vemulapati teaches a method according to claim 14. Lin teaches wherein the log/event-message system automatically associates a log source with a group of log/event messages by: 
clustering event types unmapped to a verified log source by 
generating a feature vector for each event type unmapped to a verified log source from an example log/event message of the event type (paragraph [0085]-[0092]), and 
clustering the feature vectors using a distance metric for feature vectors (paragraph [0079]-[0086]); 
assigning a log source to each event-type cluster (paragraph [0077]-[0090]); 
mapping the event types in each cluster to the log source assigned to the cluster (paragraph [0077]-[0090]); and
mapping log/event messages of the event type to the log source to which the vent type is mapped (paragraph [0077]-[0090]).

As to claim 18 Lin together with Vemulapati teaches a method according to claim 17. Lin teaches applying log/event-message field definitions provided by content packs to associate each unmapped event type to a content pack (paragraph [0095]); and 
assigning a log source to each event-type cluster by determining a likely content pack for each event-type cluster, and assigning to each event-type cluster a log source associated with the determined likely content pack for the event-type cluster, wherein the likely content pack for the event-type cluster is a content pack associated with as many or more unmapped event types in the event-type cluster than any other content pack (paragraph [0077]-[0095])

As to claim 19 Lin together with Vemulapati teaches a method according to claim 18. Lin teaches wherein the log/event-message system automatically associates a log source with a group of log/event messages by: 
inputting a feature vector generated from a sample log/event message for an unmapped event type to the trained machine-learning classifier (paragraph [0086]-[0095]); and 
when the output probability is greater than a threshold value, associating the output log source with log/event messages of the event type (paragraph [0086]-[0090]).
Vemulapati teaches training a machine-learning classifier to map feature vectors, generated from sample log/event messages for event types, to log sources (Column 5 lines 61-66, Column 6 lines 21-28), and receiving output from the machine-learning classifier that includes a log source and a probability (Column 5 lines 61-66, Column 6 lines 21-28);

As to claim 20 Lin teaches a physical data-storage device that stores computer instructions that, when executed by processors within computer systems of a log/event-message system within a distributed computer system, control the log/event-message system to: 
collect log/event messages from log/event-message sources within the distributed computer system (paragraph [0070]); 
automatically associating log-source tags containing log-source indications with those collected log/event messages having event types for which log-source mappings have been learned (paragraph [0132]-[0133], [0149]): 
store the collected log/event messages (paragraph [0112]); and 
provide query-based access to the stored log/event-messages (paragraph [0072]).
Lin does not explicitly disclose but Vemulapati learn a mapping between log sources and event types (Column 5 lines 61-66). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Lin by adding above limitation as taught by Vemulapati to improve system performance based on log information (Vemulapati, abstract).

	Examiner's Note: Examiner has cited particular columns and line numbers or paragraphs in the references as applied to the claims above for the convenience of the applicant. Although the specified citations are representative of the teachings of the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested from the applicant in preparing responses, to fully consider the references in its entirety as potentially teaching of all or part of the claimed invention, as well as the context.
Conclusion
            The prior art made of record, listed on form PTO-892, and not relied upon, if any, is considered pertinent to applicant's disclosure. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MD I UDDIN whose telephone number is (571)270-3559. The examiner can normally be reached M-F, 8:00 am to 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Usmaan Saeed can be reached on 571-272-4046. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MD I UDDIN/Primary Examiner, Art Unit 2169