Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1, 3-11, 13-20 are pending in this application.



Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 6/21/2022 has been entered.



Claim Objections

Claim 15 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.  Claim 15 recites, in part, “when metrics requested by the one or more queries are not stored.”  The claim does not expressly disclose where the queries are stored.  An appropriate correction is required.

Claim 16 recites the limitation "the constraint plane" in line 3.  There is insufficient antecedent basis for this limitation in the claim.  An appropriate correction is required.



Claim Rejections - 35 USC § 102

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claim(s) 1, 3-11 and 13-20 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Sriharsha et al., US 2021/0117232 (hereinafter Sriharsha).

For claims 1, 19, 20, Sriharsha teaches a computer implemented method for displaying metrics associated with log data, the computer implemented method comprising: 
receiving a stream of log data being generated by an operational system (see [0153], “During operation, the data intake and query system receives machine data from any type and number of sources (e.g., one or more system logs, streams of network packet data, sensor data, application program data, error logs, stack traces, system performance data, etc.)”); 
forwarding the stream of log data to a first location and to a second location separate and distinct from the first location, wherein the stream of log data is forwarded to the first location and to the second location concurrently (see [0200] – [0203], [0212] – [0213], [0219], “the intake system 210 may divide and categorize messages from the intake ingestion buffer 306, partitioning the message into output topics relevant to a specific downstream consumer. In this manner, specific portions of data input to the data intake and query system 108 may be “divided out” and handled separately, enabling different types of data to be handled differently, and potentially at different speeds,” [0221], [0228], [0401], “various implementations may involve concurrent or at least partially parallel processing. For example, in one embodiment, the intake system 210 is configured to process a message according to all rules determined to apply to that message. Thus for example if at block 706 five rules are determined to apply to the message, the intake system 210 may implement five instances of blocks 708 through 714, each of which may transform the message in different ways or publish the message to different ingestion buffers or topics. These five instances may be implemented in serial, parallel, or a combination thereof” where forwarding subset of streaming data into multiple distinct ingestion buffers represents first and second locations that are separate and distinct from each other, [0747]);
storing the stream of log data forwarded to the first location (see [0219], [0401], where instance of stream data stored in a first buffer represents storing forwarded to a first location); 
extracting a subset of the stream of log data forwarded to the second location at the second location in accordance with a set of rules based on predefined queries of a real-time reporting service (see Fig. 21A, [0575], “the indexing system 212 receives messages from the intake system 210 (e.g., by obtaining the messages from the output ingestion buffer 310) and parses the data of the message to organize the data into events,”); 
storing the subset of the stream of log data at a third location separate and distinct from the first and second locations (see Fig. 21A, [0575], [0588] – [0590], “At block 2118, the indexing system 212 stores the events with an associated timestamp in a local data store 212 and/or common storage 216” where local data store and/or common storage represents third location separate from first and second locations); 
transmitting one or more metrics included in the subset of the stream of log data to the real-time reporting service (see [0586] – [0590], “When the data intake and query system 108 subsequently receives a keyword-based query, the query system 214 can access the keyword index to quickly identify events containing the keyword” and “the query system 214 can analyze events for a query in parallel. For example, using map-reduce techniques, each search node 506 can return partial responses for a subset of events to a search head that combines the results to produce an answer for the query,” [0610] – [0611], “the query system 214 can focus the processing to only a subset of the total number of inverted indexes in the data intake and query system 108...Once the relevant inverted indexes are identified, the query system 214 can review them using any additional filter criteria to identify events that satisfy the filter criteria” where stream data associated with queried keyword(s) represents metrics in subset); and 
providing the one or more metrics from the subset of the stream of log data to a user of the real-time reporting service (see [0213], [0224], “individual devices implementing the streaming data processors 308 may subscribe to different topics on the intake ingestion buffer 306, and the number of devices subscribed to an individual topic may vary according to a rate of publication of messages to that topic,” [0386], “The output ingestion buffer 310 may thereafter make the message available to downstream systems or components. These downstream systems or components are generally referred to herein as “subscribers.” For example, the indexing system 212 may subscribe to an indexinjhu2g topic 342, the query system 214 may subscribe to a search results topic 348, a client device 102 may subscribe to a custom topic 352A, etc.,” [0588] – [0590], “each search node 506 can return partial responses for a subset of events to a search head that combines the results to produce an answer for the query,” [0653] – [0654], “This final result may comprise different types of data depending on what the query requested. For example, the results can include a listing of matching events returned by the query, or some type of visualization of the data from the returned events. In another example, the final result can include one or more calculated values derived from the matching events”).

For claim 3, Sriharsha teaches the computer implemented method as recited in claim 1, wherein the real-time reporting service comprises a dashboard service (see [0755], “The data intake and query system 108 provides various schemas, dashboards, and visualizations that simplify developers' tasks to create applications with additional capabilities”).

For claim 4, Sriharsha teaches the computer implemented method as recited in claim 3, wherein the one or more metrics are displayed graphically to the user with a graph illustrating the number of occurrences of an event type over a predefined period of time (see [0762], “For example, FIG. 33B illustrates an example incident review dashboard 3310 that includes a set of incident attribute fields 3311 that, for example, enables a user to specify a time range field 3312 for the displayed events. It also includes a timeline 3313 that graphically illustrates the number of incidents that occurred in time intervals over the selected time range”).

For claim 5, Sriharsha teaches the computer implemented method as recited in claim 1, wherein providing the one or more metrics from the subset of the stream of log data to a user comprises sending an alert to a subscriber of an alert service when the one or more metrics indicate a predefined threshold has been exceeded (see [0218], [0380], [0755], “performs monitoring and alerting operations and includes analytics to facilitate identifying both known and unknown security threats based on large volumes of data stored by the data intake and query system 108,” [0760], “Also, alerts can be generated to notify system operators when important notable events are discovered”).

For claim 6, Sriharsha teaches the computer implemented method as recited in claim 1, wherein the subset of the stream of log data comprises only the logs from the stream of log data that include the one or more metrics (see [0610] -[0611], [0686], filter log data that meet required metric parameter conditions).

For claim 7, Sriharsha teaches the computer implemented method as recited in claim 6, wherein extracting the subset of the stream of log data further comprises processing the subset of the stream of log data to generate the one or more metrics and saving the subset of the stream of log data comprises saving the one or more metrics to a third location (see Fig. 21A, [0575], “the indexing system 212 receives messages from the intake system 210 (e.g., by obtaining the messages from the output ingestion buffer 310) and parses the data of the message to organize the data into events,” [0588] – [0590], “At block 2118, the indexing system 212 stores the events with an associated timestamp in a local data store 212 and/or common storage 216”).

For claim 8, Sriharsha teaches the computer implemented method as recited in claim 1, wherein the real-time reporting service comprises a user-defined query service (see [0153], “The system enables users to run queries against the stored events to, for example, retrieve events that meet criteria specified in a query, such as criteria indicating certain keywords or having specific values in defined fields.”).

For claim 9, Sriharsha teaches the computer implemented method as recited in claim 1, wherein the first location comprises a plurality of shards and the stream of log data is distributed across the plurality of shards (see [0234] – [0235], [0240], “a partition manager 408 receives data from one or more of the shards or partitions of the ingestion buffer 310. The partition manager 408 can forward the data from the shard to the indexer 410 for processing”).

For claim 10, Sriharsha teaches the computer implemented method as recited in claim 1, wherein the stream of log data sent to the first location is stored at the first location (see [0219], [0401], where instance of stream data stored in a first buffer represents storing forwarded to a first location).

For claim 11, Sriharsha teaches the computer implemented method as recited in claim 1, wherein the subset of the stream of log data includes only metric data (see [0144], “Machine data can include system logs, network packet data, sensor data, application program data, error logs, stack traces, system performance data, etc. In general, machine data can also include performance data, diagnostic information, and many other types of data that can be analyzed to diagnose performance problems, monitor user interactions, and to derive other insights” where performance data represents metric data).

For claim 13, Sriharsha teaches the computer implemented method as recited in claim 1, further comprising requesting new metrics stored in the second location in response to receiving a user request to update one or more queries associated with the reporting service (see [0200] – [0203], [0212] – [0213], [0219], “the intake system 210 may divide and categorize messages from the intake ingestion buffer 306, partitioning the message into output topics relevant to a specific downstream consumer. In this manner, specific portions of data input to the data intake and query system 108 may be “divided out” and handled separately, enabling different types of data to be handled differently, and potentially at different speeds,” [0221], [0228], [0401], “various implementations may involve concurrent or at least partially parallel processing. For example, in one embodiment, the intake system 210 is configured to process a message according to all rules determined to apply to that message. Thus for example if at block 706 five rules are determined to apply to the message, the intake system 210 may implement five instances of blocks 708 through 714, each of which may transform the message in different ways or publish the message to different ingestion buffers or topics. These five instances may be implemented in serial, parallel, or a combination thereof,” [0153], “The system enables users to run queries against the stored events to, for example, retrieve events that meet criteria specified in a query, such as criteria indicating certain keywords or having specific values in defined fields.”).

For claim 14, Sriharsha teaches the computer implemented method as recited in claim 13, further comprising updating rules associated with the second location to match the requested update to the one or more queries (see [0153] – [0154], “an extraction rule may apply to a set of events that are each associated with a particular host, source, or source type. When events are to be searched based on a particular field name specified in a search, the system uses one or more configuration files to determine whether there is an extraction rule for that particular field name that applies to each event that falls within the criteria of the search” and where search query criteria updates extraction rule associated with output buffer, [0401]).

For claim 15, Sriharsha teaches the computer implemented method as recited in claim 14, further comprising requesting historical data from the first location when metrics requested by the one or more queries are not stored (see [0300], “Each search node 506 can store copies of one or more buckets from the common storage 216 within the local cache, such that the buckets may be more rapidly searched by search nodes 506. The search manager 514 (or cache manager 516) can maintain or retrieve from search nodes 506 information identifying, for each relevant search node 506, what buckets are copied within local cache of the respective search nodes 506” where cached data is searched first, [0586] – [0590], [0610] – [0611], query appropriate buffer, first location, when cached data is not present).

For claim 16, Sriharsha teaches the computer implemented method as recited in claim 15, further comprising sending the historical data from the first location to the constraint plane (see Fig. 21A, [0191], [0572], storing data in “indexes” after retrieving from buffer, first location).

For claim 17, Sriharsha teaches the computer implemented method as recited in claim 16, further comprising extracting one or more metrics from the historical data provided by the first location at the constraint plane (see [0191], [0572], [0586], “When the data intake and query system 108 subsequently receives a keyword-based query, the query system 214 can access the keyword index to quickly identify events containing the keyword”).

For claim 18, Sriharsha teaches the computer implemented method as recited in claim 17, further comprising: saving the one or more metrics at the second location; and transmitting the one or more metrics to the reporting service (see [0213], [0224], “individual devices implementing the streaming data processors 308 may subscribe to different topics on the intake ingestion buffer 306, and the number of devices subscribed to an individual topic may vary according to a rate of publication of messages to that topic,” [0386], “The output ingestion buffer 310 may thereafter make the message available to downstream systems or components. These downstream systems or components are generally referred to herein as “subscribers.” For example, the indexing system 212 may subscribe to an indexinjhu2g topic 342, the query system 214 may subscribe to a search results topic 348, a client device 102 may subscribe to a custom topic 352A, etc.,” [0588] – [0590], “each search node 506 can return partial responses for a subset of events to a search head that combines the results to produce an answer for the query,” [0653] – [0654], “This final result may comprise different types of data depending on what the query requested. For example, the results can include a listing of matching events returned by the query, or some type of visualization of the data from the returned events. In another example, the final result can include one or more calculated values derived from the matching events”).



Response to Arguments

Applicant’s arguments with respect to claim(s) rejected under 35 U.S.C. 103 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.



Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Kim et al., US 2015/0154288. 
Wiesmaier et al., US 2018/0203744.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENSEN HU whose telephone number is (571)270-3803. The examiner can normally be reached Monday - Friday 9-5 PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Usmaan Saeed can be reached on 571-272-4046. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JENSEN HU/Primary Examiner, Art Unit 2169