Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA  and is in response to communications filed on 8/10/2022.
Note: A second non-final rejection due to amendments made to the claims that didn’t show up in Examiner’s docket is granted.  Therefore, in order not to penalize, and as a show of good faith toward Applicant, the most recent amendments to the claims are being treated as if they were the first claims given immediately after the Request for Continuation.

Priority
Acknowledgment is made of parent Application No. 13/956,338, filed on 7/31/2013.

Drawings
Drawings have been acknowledged and are acceptable for examination purposes.

Specification
Specification has been acknowledged and is acceptable for examination purposes.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-20, 22-23, 25-26, and 28-29 are rejected under 35 U.S.C. 103 as being unpatentable over Carasso, “Exploring Splunk” (hereinafter referred to as “Carasso”) in view of Deshpande et al. US 8782162 B1 (hereinafter referred to as “Deshpande”) and further in view of Ginter et al. US 20050015624 A1 (hereinafter referred to as “Ginter”).

As per claim 1, Carasso teaches:
A computer-implemented method comprising: 
in response to the selection: 
generating a search query based on the metric, the search query including a criterion for a field value (Carasso, pg. 57, paragraph 2 – By entering the kinds of values you seek (such as a client IP address in web logs), Splunk generates a regular expression that extracts similar values, wherein this is interpreted as generating a search query including a criterion for a field value.  Pg. 58 – The statistics associated with the values are also part of the criterion), 
identifying events of interest from a set of machine data containing a plurality of events, by identifying instances in which the field value in events in the set of machine data matches the criterion in the search query (Carasso, pg. 55, paragraph 2 – Machine data.  Pg. 57, paragraph 2 – By entering the kinds of values you seek (such as a client IP address in web logs), Splunk generates a regular expression that extracts similar values, wherein this is interpreted as generating a search query based on selection of metrics), and 
calculating a first value for the metric from the identified events of interest (Carasso, pg. 69, paragraph 7 – The user can track whether a certain number of things happen within a certain time period),
the first value corresponding to a number of events associated with the metric at a first time of a configurable time period (Carasso, pg. 69 fig. 5-10 shows “trigger if” options which allow the user to specify the threshold.  The rolling window also comprises a first point in time and a second point in time which are continually moving in conjunction with one another, wherein the first point in time is interpreted as a first time that is associated with a first value which is constantly being monitored for changes); 
calculating a second value for the metric, the second value corresponding to a number of events associated with the metric at a second time of the configurable time period (Carasso, pg. 69, paragraph 7 – The rolling window comprises a first point in time and a second point in time which are continually moving in conjunction with one another, wherein the second point in time is interpreted as the second time of the configurable time period);
determining a change value based on the difference between the second value and the first value (Carasso, pg. 69, paragraph 7 – The alert is triggered when there’s a change in value from the first point in time and the second point in time that exceeds a threshold);
determining a relationship between the second value and a first threshold (Carasso, pg. 69, paragraph 5 – A threshold for a total number of events regardless of any time period or rolling time window is interpreted as a first threshold, wherein this would also correspond to the second point in time of the rolling window as well as the second value that corresponds to the second point in time, but without taking account of the first value or first point in time.  See also pg. 72 with different alert conditions, wherein a simple “is greater than” condition is interpreted as the first threshold); and
determining a relationship between the change value and a second threshold (Carasso, pg. 69, paragraph 7 – The alert is triggered when there’s a change in value from the first point in time and the second point in time that exceeds a threshold); 
updating the value of the metric continuously in real time as additional machine data is received (Carasso, pg. 69, paragraphs 6-9 – Splunk can monitor for a condition in real time over a rolling window.  An alert can also be triggered when there’s a change in value from the first point in time and the second point in time that exceeds a threshold.  See also pg. 72 with different alert conditions, wherein a simple “is greater than” condition is interpreted as the first threshold.  This page also states that a "rises by" or "falls by" condition can be added which allows one to “set alerts for conditions that are relative (it’s often not the absolute number as much as a doubling or tripling that you want to be alerted about)); and
Although Carasso teaches updating a metric in real time and a rolling window which may read on a dashboard, Carasso doesn’t explicitly teach that the real time data is shown in a display that updates the values in real time, however, Deshpande teaches:
causing display, in a dashboard, of updated values of the metric as time progresses and trend information related to changes in a numerical value of the metric, the display including an identifier of the metric, an indication of the second value, an indication of the change value, an indication of the relationship between the second value and the first threshold, and an indication of the relationship between the change value and the second threshold (Deshpand, Column 24, lines 1-47 – Real time web site traffic data in a graphical user interface.  Trends can also be displayed in the real time web site traffic analysis.  The information can include the average number of visitors per minute in the last 10 minutes.  A single continuous line in a line graph can be given to display the analysis.  The interface is automatically and continuously updated using real time web site traffic data).
It would have been obvious for one of ordinary skill in the art at the time of the filing of the application to modify Exploring Splunk’s invention in view of Deshpand in order to provide a display which updates in real time trend information as well as the rolling window with the information used in Carasso; this is advantageous because it allows the user to select different types of information to be displayed as well as parameters for display (Ginter, paragraph [0132]).
Although Exploring Splunk teaches metrics and values associated with the metrics, Exploring Splunk doesn’t explicitly teach a selection of selectable metrics, however Ginter teaches:
receiving a selection of a metric from a set of selectable metrics (Ginter, [0132] – Metrics can be selected and the different types of information can be displayed.  Paragraphs [0133] and [0136] – The web server may be used in connection with displaying pages to a console in response to a user selection or obtaining settings for different threshold and alarm levels such as may be used in connection with notifications); 
It would have been obvious for one of ordinary skill in the art at the time of the filing of the application to modify Exploring Splunk’s invention in view of Ginter in order to allow selection of a metric from a set of selectable metrics; this is advantageous because it allows the user to select different types of information to be displayed as well as parameters for display (Ginter, paragraph [0132]).

As per claim 2, Carasso as modified teaches:
The computer-implemented method of claim 1, further comprising: 
receiving selection of the first threshold as a configurable threshold to be applied to the second value; and 
causing display of an indicator indicating that the second value of the at least one metric exceeds the configurable threshold (Carasso, pg. 69, paragraphs 5-7 – The rolling window with multiple alerts is interpreted as teaching first and second values with first and second thresholds).

As per claim 3, Carasso as modified teaches:
The computer-implemented method of claim 1, further comprising: 
receiving selection of the second threshold as a configurable threshold to be applied to the change (Carasso, pg. 69 fig. 5-10 shows “trigger if” options which allow the user to specify the threshold.  Also, the rolling window with multiple alerts is interpreted as teaching first and second values with first and second thresholds); and 
causing display of an indicator indicating that the change value exceeds the configurable threshold (Carasso, pg. 55 – Creating Alerts about Potential Problems shows how to track and send alerts when metrics cross thresholds).

As per claim 4, Carasso as modified teaches:
The computer-implemented method of claim 1, further comprising: 
causing display of a drill down view of the machine data underlying at least one of the first value or the second value of the metric upon selection of the metric (Carasso, pg. 9, paragraph 3 – Splunk can drill down into a time period when a problem first occurred.  See also pages 63 and 67 as well as fig. 5-9 for a drill down chart).

As per claim 5, Carasso as modified teaches:
The computer-implemented method of claim 1, wherein the second value is determined based upon a number of events identified as search query results (Carasso, pg. 69, paragraph 7 – The user can track whether a certain number of things happen within a certain time period.  Fig. 5-10 shows scheduling an alert with a configurable window of time).

As per claim 6, Carasso as modified teaches:
The computer-implemented method of claim 1, further comprising: 
receiving selection of a time period for the metric, wherein the identified events of interest fall within the configurable time period (Carasso, pg. 69, paragraph 7 – The user can track whether a certain number of things happen within a certain time period.  Fig. 5-10 shows scheduling an alert with a configurable window of time).

As per claim 7, Carasso as modified teaches:
The computer-implemented method of claim 1, further comprising: 
causing display of a list of searches for events of interest (Carasso, pg. 72, paragraphs 2 and 3 – Saved searches can be displayed in a list and selected by a user to display its parameters), 
wherein each search in the list includes: 
a name of the search (Ginter, [0090] – Host name, user name, certificate name and/or any other information that might serve to identify who or what is connected to the control network via the VPN connection, wherein these are interpreted as possible names of a search [0281] – Metric name), 
a type of the search (Ginter, [0016] – The summary may identify at least one source associated with an attack, wherein said source is one of: a user, a machine, and an application, said percentage indicating a percentage of events associated with said at least one source for a type of attack. The summary may identify at least one target associated with an attack, wherein said target is one of: a user, a machine, an application, and a port, said percentage indicating a percentage of events associated with said at least one target for a type of attack, wherein the type of attack that is searched for is interpreted as the type of search).

As per claim 8, Carasso as modified teaches:
The computer-implemented method of claim 7, further comprising: 
causing display of a drill down view of a machine data underlying the event of interest associated with the search upon selection of the search (Carasso, pg. 9, paragraph 3 – Splunk can drill down into a time period when a problem first occurred.  See also pages 63 and 67 as well as fig. 5-9 for a drill down char).

As per claim 9, Carasso as modified teaches:
The computer-implemented method of claim 7, wherein the list further includes 
a domain within which the event of interest is identified (Ginter, [0014] and [0016] – Security events of interest are reported [0022] – The method may perform pattern matching).

As per claim 10, Carasso as modified teaches:
The computer-implemented method of claim 7, wherein the list further includes 
a status field that includes a first selectable option that enables a search for the event of interest (Carasso, pg. 23, paragraph 11, A search option is displayed in the search dashboard, wherein the search dashboard is interpreted as the status field because it includes a selectable option that enables searches) and 
a second selectable option that disables the search for the event of interest (Carasso, pg. 26, paragraphs 2-4 – Pausing, stopping and cancelling searches can be performed in the system, wherein this is interpreted as disabling searches for events of interest).

As per claim 11, Carasso as modified teaches:
The computer-implemented method of claim 7, wherein the type of search includes any one of 
a scheduled search (Ginter, [0009] – The periodic report may include a summary of a selected set of one or more data sources and associated values for a time interval since a last periodic report was sent to a reporting destination.  Paragraph [0227] – Time intervals may be user specified as well as defined using one or more default values that may vary with an embodiment) and 
a real-time search (Ginter, [0067] – The security event monitoring system provides data in real time).

As per claim 12, Carasso as modified teaches:
The computer-implemented method of claim 7, wherein for each event of interest for which the scheduled search is performed, causing display of a date and time when a next search is scheduled to be performed to identify a presence of an event of interest (Ginter, [0009] – The periodic report may include a summary of a selected set of one or more data sources and associated values for a time interval since a last periodic report was sent to a reporting destination.  Paragraph [0227] – Time intervals may be user specified as well as defined using one or more default values that may vary with an embodiment).

As per claim 13, Carasso as modified teaches:
The computer-implemented method of claim 1, wherein the metric from the plurality of metrics is related to operational performance in the information technology environment (Ginter, [0021], [0022] and [0111] – Events of interest may be obtained by parsing data.  Paragraph [0232] – A determination is made as to whether the input data has any one or more matches in accordance with predefined string values indicating events of interest.  Fig. 14 shows possible selections of metrics such as logins, login failures, resource usage, etc., wherein resource usage is interpreted as operational performance).

As per claim 14, Carasso as modified teaches:
The computer-implemented method of claim 1, wherein the machine data include unstructured or semi-structured data (Ginter, [0146] – Raw data may be gathered and alerts may be generated, wherein gathering raw data is interpreted as gathering machine data and generating alerts from that data is interpreted as separating the data into events.  Paragraph [00236] – Schemas can be formed).

As per claim 15, Carasso as modified teaches:
The computer-implemented method of claim 1, wherein the machine data is log data (Ginter [0158] – The log agent searches the log file for predetermined strings of interest, and may store in memory the string found as well as one or more corresponding metrics such as, for example, the number of occurrences of a string).

Claims 16-18 are directed to an apparatus performing steps recited in claims 1-3 with substantially the same limitations.  Therefore, the rejections made to claims 1-3 are applied to claims 16-18.

Claims 19-20 are directed to a non-transitory computer readable program storage medium performing steps recited in claims 1-2 with substantially the same limitations.  Therefore, the rejections made to claims 1-2 are applied to claims 19-20.

As per claim 22, Carasso as modified teaches:
The computer-implemented method of claim 1, further comprising: 
separating the set of machine data into two or more events by identifying a presence of a feature in the set of machine data, wherein the feature identifies a boundary used to separate the set of machine data into the two or more events, and wherein the two or more events comprise the events of interest (Carasso, pg. 57, paragraph 2 – By entering the kinds of values you seek (such as a client IP address in web logs), Splunk generates a regular expression that extracts similar values (this is especially helpful for the regular expression-challenged among us), wherein this is interpreted as generating a search query based on selection of metrics).

As per claim 23, Carasso as modified teaches:
The computer-implemented method of claim 22, wherein the feature includes a leading punctuation, a word, a white space, or a breaking character (Carasso, pg. 57, paragraph 2 – By entering the kinds of values you seek (such as a client IP address in web logs), Splunk generates a regular expression that extracts similar values (this is especially helpful for the regular expression-challenged among us), wherein this is interpreted as generating a search query based on selection of metrics).

Claims 25 and 26 are directed to an apparatus performing steps recited in claims 22 and 23 with substantially the same limitations.  Therefore, the rejections made to claims 22 and 23 are applied to claims 25 and 26.

Claims 28 and 29 are directed to a non-transitory computer readable program storage medium performing steps recited in claims 22 and 23 with substantially the same limitations.  Therefore, the rejections made to claims 22 and 23 are applied to claims 28 and 29.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Petersen et al. US 20120246303 A1 teaches log collection, structuring, and processing (Title).
Manes et al. US 20130047039 A1 teaches system and method for computer analysis (Title).
Wilson et al. US 20080086345 A1 teaches asset data collection, presentation, and management (Title).
Kass et al. US 20080086363 A1 teaches technology event detection, analysis, and reporting system (Title).
Qamhiyah et al. US 20060041535 A1 teaches a geometric search engine (Title).

Response to Arguments
Applicant’s arguments with respect to claims have been considered but are generally moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Applicant’s argument concerning prosecution history in Remarks of 8/10/2022 has been fully considered.  Therefore, a second non-final rejection is granted to Applicant due to amendments not showing up in the previous response.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Jenkins et al. US 8707194 B1 teaches a system and method for decentralized performance monitoring of host systems (Title).
Kwan et al. US 20150039749 A1 teaches calculating a percentage change over the baseline or use pre-determined thresholds to determine whether a difference between the current measurement and the rolling baseline constitutes an anomaly in paragraph [0056].
Bartosz et al. “Real-time Grid Monitoring Based on Complex Event Processing” teaches real-time access and query capabilities (Abstract)
Murstein et al. teaches in figs. 6a and 6b, and column 9, lines 12-31 about an interface component which displays performance metric data graphically over a period of time.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthew Ellis whose telephone number is (571)270-3443.  The examiner can normally be reached on Monday-Friday 8AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neveen Abel-Jalil can be reached on (571)270-0474.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

November 2, 2022
/MATTHEW J ELLIS/Primary Examiner, Art Unit 2152