DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.	In response to the Office action mailed on 5/9/2022, the applicants have filed response: claims 1, 7, 12, 16 and 19 have been amended.  Claims 1 – 20 are pending.
Claim Rejections - 35 USC § 103
3.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

4.	The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
5.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
6.	Claims 1, 7, 8, 12 and 16 – 19 are rejected under 35 U.S.C. 103 as being unpatentable over Natarajan et al. (U.S. Publication 2011/0196964) (Natarajan hereinafter) (Identified by Applicant in IDS) in view of Morin et al. (U.S. Publication 2007/0300302) (Morin hereinafter).
7. 	As per claim 1, Natarajan teaches a system comprising:
a processor [controller, cl. 13]; and
a memory coupled to the processor and storing instructions executable by the processor [“a controller-usable medium having a computer readable program code embodied in a controller for managing event traffic in a network system,” cl. 13] to:
monitor a plurality of events received from a computing environment, wherein the plurality of events is part of an event stream being received from the computing environment [“Referring to FIGS. 4A through 4F, flow charts illustrate one or more embodiments or aspects of a computer executed method for managing event traffic in a network system. FIG. 4A depicts a computer-executed method 400 for operating the network system and handling event storms. The illustrative method 400 comprises analyzing and controlling 402 event traffic by analyzing 404 events according to policies specified in a policies database, and processing 406 raw network packets directly with less than full packet parsing.  Analyzing and controlling 402 event traffic can further comprise generating 408 a filtered stream of events based on the analysis, and propagating 410 the filtered stream of events to a monitoring system.” ¶ 0030];
detect, based on the monitoring, that a first event is received in the event stream at least in response to performance of a first operation in the computing environment [“Examples of events can include alarms or traps as in a network manager software installation or messages as in an operations product installation. For example, in the network manager context, several scenarios can result in large event storms.” ¶ 0041; “In an operations context, a scenario for occurrence of event storms is application agents that lose connection to a management server, for example due to network problems, and buffer all generated messages, then storming the buffered messages to the server once connectivity is established,” ¶ 0042; connecting to a management server mapped to performance of first operation].
Natarajan does not explicitly disclose but Morin discloses determine a first handling action to be performed for the first event based on frequency of occurrence of the first event in the event stream without performance of the first operation and at least one of: a number of actions triggered by the first event or frequency of occurrence of the first event in the event stream in response to performance of the first operation [“Alarm processing modules include false alarm suppression modules for identifying false positives, which are alarms generated by the intrusion detection sensors even though there has been no intrusive activity. Alarms produced when an intrusive activity has actually taken place are called true positives.” ¶ 0007; “During an operational stage, the data processing means advantageously classify new alarms autonomously if the rate at which the classifications of new alarms are corrected during the validation stage falls below a particular threshold.” ¶ 0050]; and
the first handling action being one of suppression of the first event or allowing processing of the first event, and perform the first handling action for the first event received subsequent to the determination and in response to performance of the first operation [“The third stage P3 is an operational stage in which new alarms are classified autonomously by the processing means 21 of the false alarm suppression module 17 providing the rate at which the classifications of new alarms are corrected during the validation stage falls below a particular threshold. Accordingly, the false alarm suppression module 17 marks alarms and sends only true alarms to the alarm presentation console 5. False alarms are either suppressed directly or stored in the memory means 25 or preferably in ancillary storage means 27 via a connection 26.” ¶ 0066].
	         It would have been obvious to one of ordinary skill in the art, having the teachings of Natarajan and Morin available before the effective filing date of the claimed invention, to modify the capability of managing event traffic as disclosed by Natarajan to include the capability of managing false alarms as taught by Morin, thereby providing a mechanism to enhance system efficiency by providing an automated means to process and manage events thereby reducing the need to process unwanted alarms and to better manage system resources.
8. 	As per claim 7, Natarajan and Morin teach the system of claim 1.  Morin further teaches wherein the instructions are executable by the processor to: determine a second handling action to be performed for the first event if the first event is received without performance of the first operation based on the frequency of occurrence of the first event in the event stream without the first operation, wherein the second handling action is one of suppression of the first event or allowing processing of the first event [“Alarm processing modules include false alarm suppression modules for identifying false positives, which are alarms generated by the intrusion detection sensors even though there has been no intrusive activity. Alarms produced when an intrusive activity has actually taken place are called true positives.” ¶ 0007; “During an operational stage, the data processing means advantageously classify new alarms autonomously if the rate at which the classifications of new alarms are corrected during the validation stage falls below a particular threshold.” ¶ 0050], wherein, the second handling action is to be performed for the first event that is received subsequent to the determination of the second handling action and without performance of the first operation [“The third stage P3 is an operational stage in which new alarms are classified autonomously by the processing means 21 of the false alarm suppression module 17 providing the rate at which the classifications of new alarms are corrected during the validation stage falls below a particular threshold. Accordingly, the false alarm suppression module 17 marks alarms and sends only true alarms to the alarm presentation console 5. False alarms are either suppressed directly or stored in the memory means 25 or preferably in ancillary storage means 27 via a connection 26.” ¶ 0066].
	         It would have been obvious to one of ordinary skill in the art, having the teachings of Natarajan and Morin available before the effective filing date of the claimed invention, to modify the capability of managing event traffic as disclosed by Natarajan to include the capability of managing false alarms as taught by Morin, thereby providing a mechanism to enhance system efficiency by providing an automated means to process and manage events thereby reducing the need to process unwanted alarms and to better manage system resources.
9. 	As per claim 8, Natarajan and Morin teach the system of claim 1.  Natarajan further teaches wherein the instructions are executable to determine the first handling action to be suppression of the first event in response to at least one of:
the number of actions triggered by the first event being greater than a first action threshold [“In an example implementation, the one or more statistics can be selected from parameters regarding entities including top-K sources, event-types, (source, event)-tuples of the data structures, sources with an event rate extending past a predetermined threshold, event-types with an event rate extending past a predetermined threshold, (source, event)-tuples of the data structures with an event rate extending past a predetermined threshold, and the like,” ¶ 0035; “Referring to FIG. 4F, a computer-executed method 450 for operating the network system can perform analysis 452 of event traffic comprising monitoring 454 event streams for anomalies using analysis algorithms, and determining 456 traffic shaping based on the observed anomalies.” ¶ 0037,
the number of actions triggered by the first event being lesser than a second action threshold, the second action threshold being lesser than the first action threshold,
the frequency of occurrence of the first event in the event stream in response to performance of the first operation being greater than a first frequency threshold, and
the frequency of occurrence of the first event in the event stream without performance of the first operation being greater than a second frequency threshold.
10.        As per claim 12, it is a method claim having similar limitations as cited in claim 1.  Thus, claim 12 is also rejected under the same rationale as cited in the rejection of claim 1 above.
11. 	As per claim 16, Natarajan teaches a non-transitory computer-readable medium comprising instructions for performing operation-based event suppression, the instructions being executable by a processing resource to:
monitor a plurality of events received from a computing environment, wherein the plurality of events is part of an event stream being received from the computing environment [“Referring to FIGS. 4A through 4F, flow charts illustrate one or more embodiments or aspects of a computer executed method for managing event traffic in a network system. FIG. 4A depicts a computer-executed method 400 for operating the network system and handling event storms. The illustrative method 400 comprises analyzing and controlling 402 event traffic by analyzing 404 events according to policies specified in a policies database, and processing 406 raw network packets directly with less than full packet parsing.  Analyzing and controlling 402 event traffic can further comprise generating 408 a filtered stream of events based on the analysis, and propagating 410 the filtered stream of events to a monitoring system.” ¶ 0030];
detect, based on the monitoring, that a first set of events is received in the event stream in response to performance of a first operation in the computing environment [“Examples of events can include alarms or traps as in a network manager software installation or messages as in an operations product installation. For example, in the network manager context, several scenarios can result in large event storms.” ¶ 0041; “In an operations context, a scenario for occurrence of event storms is application agents that lose connection to a management server, for example due to network problems, and buffer all generated messages, then storming the buffered messages to the server once connectivity is established,” ¶ 0042; connecting to a management server mapped to performance of first operation].
Natarajan does not explicitly disclose but Morin discloses determine a first handling action to be performed for the first event based on frequency of occurrence of the first event in the event stream without performance of the first operation and at least one of: a number of actions triggered by the first event or frequency of occurrence of the first event in the event stream in response to performance of the first operation [“Alarm processing modules include false alarm suppression modules for identifying false positives, which are alarms generated by the intrusion detection sensors even though there has been no intrusive activity. Alarms produced when an intrusive activity has actually taken place are called true positives.” ¶ 0007; “During an operational stage, the data processing means advantageously classify new alarms autonomously if the rate at which the classifications of new alarms are corrected during the validation stage falls below a particular threshold.” ¶ 0050]; and
the first handling action being one of suppression of the first event or allowing processing of the first event, and perform the first handling action for the first event received subsequent to the determination and in response to performance of the first operation [“The third stage P3 is an operational stage in which new alarms are classified autonomously by the processing means 21 of the false alarm suppression module 17 providing the rate at which the classifications of new alarms are corrected during the validation stage falls below a particular threshold. Accordingly, the false alarm suppression module 17 marks alarms and sends only true alarms to the alarm presentation console 5. False alarms are either suppressed directly or stored in the memory means 25 or preferably in ancillary storage means 27 via a connection 26.” ¶ 0066]; and
          develop(ing), based on the determination, a first suppression rule corresponding to the first operation, the first suppression rule specifying suppression-suitable events among the first set of events [“During an operational stage, the data processing means advantageously classify new alarms autonomously if the rate at which the classifications of new alarms are corrected during the validation stage falls below a particular threshold.” ¶ 0050, and suppress the suppression-suitable events if the set of events is received subsequent to the determination [“The module preferably further includes a storage module for storing false alarms during the operational stage so that only true alarms are sent to an alarm presentation console.” ¶ 0051].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Natarajan and Morin available before the effective filing date of the claimed invention, to modify the capability of managing event traffic as disclosed by Natarajan to include the capability of managing false alarms as taught by Morin, thereby providing a mechanism to enhance system efficiency by providing an automated means to process and manage events thereby reducing the need to process unwanted alarms and to better manage system resources.
12. 	As per claim 17, Natarajan and Morin teach the non-transitory computer-readable medium of claim 16.  Morin further teaches wherein, subsequent to the development of the first suppression rule, the instructions are executable by the processing resource to: receive the first set of events [“During an operational stage, the data processing means advantageously classify new alarms autonomously if the rate at which the classifications of new alarms are corrected during the validation stage falls below a particular threshold.” ¶ 0050]; and suppress each suppression-suitable event specified in the first suppression rule [“The module preferably further includes a storage module for storing false alarms during the operational stage so that only true alarms are sent to an alarm presentation console.” ¶ 0051].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Natarajan and Morin available before the effective filing date of the claimed invention, to modify the capability of managing event traffic as disclosed by Natarajan to include the capability of managing false alarms as taught by Morin, thereby providing a mechanism to enhance system efficiency by providing an automated means to process and manage events thereby reducing the need to process unwanted alarms and to better manage system resources.
13.        As per claim 18, it is a media claim having similar limitations as cited in claim 8.  Thus, claim 18 is also rejected under the same rationale as cited in the rejection of claim 8 above.
14. 	As per claim 19, Natarajan and Morin teach the non-transitory computer-readable medium of claim 16.  Morin further teaches wherein the instructions are executable by the processing resource to: determine a second handling action to be performed for a first event of the first set of events if the first event is received without performance of the first operation, wherein the second handling action is determined based on the frequency of occurrence of the first event in the event stream without the first operation [“Alarm processing modules include false alarm suppression modules for identifying false positives, which are alarms generated by the intrusion detection sensors even though there has been no intrusive activity. Alarms produced when an intrusive activity has actually taken place are called true positives.” ¶ 0007; “During an operational stage, the data processing means advantageously classify new alarms autonomously if the rate at which the classifications of new alarms are corrected during the validation stage falls below a particular threshold.” ¶ 0050]; and
wherein subsequent to determination of the second handling action, the second handling action is to be performed for the first event if the first event is received outside of the first set of events [“The third stage P3 is an operational stage in which new alarms are classified autonomously by the processing means 21 of the false alarm suppression module 17 providing the rate at which the classifications of new alarms are corrected during the validation stage falls below a particular threshold. Accordingly, the false alarm suppression module 17 marks alarms and sends only true alarms to the alarm presentation console 5. False alarms are either suppressed directly or stored in the memory means 25 or preferably in ancillary storage means 27 via a connection 26.” ¶ 0066], 
wherein the second handling action is one of suppression of the first event or allowing processing of the first event [“The module preferably further includes a storage module for storing false alarms during the operational stage so that only true alarms are sent to an alarm presentation console.” ¶ 0051].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Natarajan and Morin available before the effective filing date of the claimed invention, to modify the capability of managing event traffic as disclosed by Natarajan to include the capability of managing false alarms as taught by Morin, thereby providing a mechanism to enhance system efficiency by providing an automated means to process and manage events thereby reducing the need to process unwanted alarms and to better manage system resources.
15.	Claims 2 – 4, 13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Natarajan and Morin in further view of Spiro et al. (U.S. Publication 2018/0173216) (Spiro hereinafter).
16. 	As per claim 2, Natarajan and Morin teach the system of claim 1.  Natarajan further teaches wherein, to detect that the first event is received in response to performance of the first operation, the instructions are executable by the processor to:
identify, based on the monitoring, arrival of events at a first event arrival rate in the event stream, wherein a difference between the first event arrival rate and an average rate of arrival over a first time period is greater than an event arrival threshold; deduce that the first event arrival rate is due to the performance of the first operation in the computing environment [“the one or more statistics can be selected from parameters regarding entities including top-K sources, event-types, (source, event)-tuples of the data structures, sources with an event rate extending past a predetermined threshold, event-types with an event rate extending past a predetermined threshold, (source, event)-tuples of the data structures with an event rate extending past a predetermined threshold, and the like,” ¶ 0035; event rates may be determined based on sources and/or event types];
designate events that arrived at the first event arrival rate as being part of a first cluster of events [“Clusters of event traffic on a network system, which can be called event storms, can occur in monitoring systems such as push-based monitoring systems in which agents on the monitored devices or local aggregators push system monitoring data as events to a central management server … An event storm can result when a wide area network (WAN) router fails and many (for example, several hundreds) edge routers connected to the Internet via the WAN router generate alerts simultaneously. An event storm can also occur for a router that is incorrectly configured to low threshold values for generating alerts. A further cause of event storms is noisy devices that emit a large number of traps of little value to a monitoring system.” ¶ 0041].
Natarajan and Morin do not explicitly disclose but Spiro discloses deduc(ing) that the first cluster of events is received due to the performance of the first operation [“The apparatus may be configured to identify at least a portion of the retrieved historic maintenance data as being indicative of the maintenance event by identifying a cluster of warning messages associated with the maintenance event,” ¶ 0018; maintenance event mapped to operation].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Natarajan, Morin and Spiro available before the effective filing date of the claimed invention, to modify the capability of managing event traffic as disclosed by Natarajan and Morin to include the capability of identifying sources of clustered events as taught by Spiro, thereby providing a mechanism to enhance system efficiency and maintainability by providing an automated means to identify and isolate events thereby improving the ability to react to system anomalies.
17. 	As per claim 3, Natarajan, Morin and Spiro teach the system of claim 2.  Natarajan further teaches wherein, subsequent to determination of the first handling action, the instructions are executable by the processor to: receive the first event; and perform the first handling action for the first event if the first event is detected to be received in response to performance of the first operation [“Referring to FIG. 4F, a computer-executed method 450 for operating the network system can perform analysis 452 of event traffic comprising monitoring 454 event streams for anomalies using analysis algorithms, and determining 456 traffic shaping based on the observed anomalies.” ¶ 0037].
18. 	As per claim 4, Natarajan, Morin and Spiro teach the system of claim 3.  Natarajan further teaches wherein the first cluster of events is a superset of a first set of events, the first set of events comprises the first event [“Clusters of event traffic on a network system, which can be called event storms, can occur in monitoring systems such as push-based monitoring systems in which agents on the monitored devices or local aggregators push system monitoring data as events to a central management server … An event storm can result when a wide area network (WAN) router fails and many (for example, several hundreds) edge routers connected to the Internet via the WAN router generate alerts simultaneously. An event storm can also occur for a router that is incorrectly configured to low threshold values for generating alerts. A further cause of event storms is noisy devices that emit a large number of traps of little value to a monitoring system.” ¶ 0041; storms and clusters are analogous to supersets of events – superset is not defined in the specification], and in response to receiving the first event, the instructions are executable by the processor to: detect that the first event is received due to the performance of the first operation if the first set of events is received at the first event arrival rate [“the one or more statistics can be selected from parameters regarding entities including top-K sources, event-types, (source, event)-tuples of the data structures, sources with an event rate extending past a predetermined threshold, event-types with an event rate extending past a predetermined threshold, (source, event)-tuples of the data structures with an event rate extending past a predetermined threshold, and the like,” ¶ 0035; event rates may be determined based on sources and/or event types].
19.        As per claim 13, it is a method claim having similar limitations as cited in claim 2.  Thus, claim 13 is also rejected under the same rationale as cited in the rejection of claim 2 above.
20.        As per claim 20, it is a media claim having similar limitations as cited in claim 2.  Thus, claim 20 is also rejected under the same rationale as cited in the rejection of claim 2 above.
21.	Claims 5, 14 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Natarajan, Morin and Spiro in further view of Advani (U.S. Publication 2016/0019776) (Advani hereinafter).
22. 	As per claim 5, Natarajan, Morin and Spiro teach the system of claim 2.  Natarajan further teaches wherein the instructions are executable by the processor to: determine the first handling action corresponding to each event of the first cluster of events [“In an example implementation, the one or more statistics can be selected from parameters regarding entities including top-K sources, event-types, (source, event)-tuples of the data structures, sources with an event rate extending past a predetermined threshold, event-types with an event rate extending past a predetermined threshold, (source, event)-tuples of the data structures with an event rate extending past a predetermined threshold, and the like,” ¶ 0035; “Referring to FIG. 4F, a computer-executed method 450 for operating the network system can perform analysis 452 of event traffic comprising monitoring 454 event streams for anomalies using analysis algorithms, and determining 456 traffic shaping based on the observed anomalies.” ¶ 0037; traffic shaping mapped to first handling action; “Clusters of event traffic on a network system, which can be called event storms, can occur in monitoring systems such as push-based monitoring systems in which agents on the monitored devices or local aggregators push system monitoring data as events to a central management server … An event storm can result when a wide area network (WAN) router fails and many (for example, several hundreds) edge routers connected to the Internet via the WAN router generate alerts simultaneously. An event storm can also occur for a router that is incorrectly configured to low threshold values for generating alerts. A further cause of event storms is noisy devices that emit a large number of traps of little value to a monitoring system.” ¶ 0041].
Natarajan, Morin and Spiro do not explicitly disclose but Advani discloses determine a time duration for which the first cluster of events is received [“Processing of continuous event streams necessarily entails specifying a moving time window along with selection criteria in a query. The selection criteria is applied against data values corresponding to time instances in a specific duration determined by the moving time window to form the results corresponding to that duration. The results are formed at continuous discrete instances as the specific duration is changed according to the moving time window specified in the query.” ¶ 0006];
define a first suppression rule corresponding to the first operation, the first suppression rule specifying the first handling action corresponding to each event of the first cluster of events and the time duration for which the first cluster of events is received [“alert server 150 receives a suppression condition associated with the pattern of interest. A suppression condition specifies the situations, the occurrences of which are not to be reported as alerts,” ¶ 0043; suppression condition mapped to suppression rule, pattern of interest mapped to cluster of events],
wherein, subsequent to defining the first suppression rule, in response to detection that the first operation is performed, for each event of the first cluster of events received in the time duration, the first handling action corresponding to the event is to be performed by referring to the first suppression rule [“alert server 150 checks whether the suppression condition is satisfied for a next occurrence in the sequence. In a scenario that the suppression condition is satisfied, the alert is skipped and alert server 150 processes the next occurrence in the sequence (waiting for such occurrence, if required). Control passes to step 280 if the suppression condition is not satisfied for the next occurrence.” ¶ 0046].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Natarajan, Morin, Spiro and Advani available before the effective filing date of the claimed invention, to modify the capability of managing event traffic as disclosed by Natarajan, Morin and Spiro to include the capability of managing event streams as taught by Advani, thereby providing a mechanism to enhance system efficiency and usability by providing an automated means to identify and report/suppress events occurring within a specific time duration.
23. 	As per claim 14, Natarajan, Morin and Spiro teach the method of claim 13.  Natarajan, Morin and Spiro do not explicitly disclose but Advani discloses determining the first handling action for each event of the set of events based on a first suppression rule corresponding to the first operation [“alert server 150 receives a suppression condition associated with the pattern of interest. A suppression condition specifies the situations, the occurrences of which are not to be reported as alerts,” ¶ 0043; suppression condition mapped to suppression rule, pattern of interest mapped to cluster of events], the first suppression rule specifying suppression-suitable events among the first cluster of events and a time duration for which the first cluster of events was received [“Processing of continuous event streams necessarily entails specifying a moving time window along with selection criteria in a query. The selection criteria is applied against data values corresponding to time instances in a specific duration determined by the moving time window to form the results corresponding to that duration. The results are formed at continuous discrete instances as the specific duration is changed according to the moving time window specified in the query.” ¶ 0006].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Natarajan, Morin, Spiro and Advani available before the effective filing date of the claimed invention, to modify the capability of managing event traffic as disclosed by Natarajan, Morin and Spiro to include the capability of managing event streams as taught by Advani, thereby providing a mechanism to enhance system efficiency and usability by providing an automated means to identify and report/suppress events occurring within a specific time duration.
24. 	As per claim 15, Natarajan, Morin, Spiro and Advani teach the method of claim 14.  Advani further teaches in response to receiving the set of events, suppressing each suppression- suitable event received in the time duration [“alert server 150 receives a suppression condition associated with the pattern of interest. A suppression condition specifies the situations, the occurrences of which are not to be reported as alerts,” ¶ 0043; suppression condition mapped to suppression rule, pattern of interest mapped to cluster of events].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Natarajan, Morin, Spiro and Advani available before the effective filing date of the claimed invention, to modify the capability of managing event traffic as disclosed by Natarajan, Morin and Spiro to include the capability of managing event streams as taught by Advani, thereby providing a mechanism to enhance system efficiency and usability by providing an automated means to identify and report/suppress events occurring within a specific time duration.
25.	Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Natarajan, Morin, Spiro and Advani in further view of Yoon et al. (U.S. Publication 2018/0101423) (Yoon hereinafter).
26. 	As per claim 6, Natarajan, Morin, Spiro and Advani teach the system of claim 5. Natarajan, Morin, Spiro and Advani do not explicitly disclose but Yoon discloses wherein the instructions are executable to determine the time duration for which the first cluster of events received based on at least one of: a time until which the events are received at the first event arrival rate [“one or more temporal characteristics for a cluster can be identifies, such as a peak frequency corresponding to timestamps of messages assigned to the cluster, a power at the peak frequency, a variance (or standard deviation) of the peak frequency and/or a variance (or standard deviation) of power. A threshold may be defined based on the temporal characteristic(s). For example, a threshold corresponding to a "cluster-ending" alert may be defined as detecting that a peak frequency of messages has changed to be less than 1/3 of the peak frequency and/or less than a peak frequency minus two standard deviations of the peak frequency,” ¶ 0156]; and
comparison of a plurality of versions of the first cluster of events.
          It would have been obvious to one of ordinary skill in the art, having the teachings of Natarajan, Morin, Spiro, Advani and Yoon available before the effective filing date of the claimed invention, to modify the capability of managing event traffic as disclosed by Natarajan, Morin, Spiro and Advani to include the capability of cluster-based log processing as taught by Yoon, thereby providing a mechanism to enhance system efficiency by providing an automated means to identify and manage cluster durations.
27.	Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Natarajan and Morin in further view of Davidson (U.S. Publication 2014/0104195) (Davidson hereinafter).
28. 	As per claim 9, Natarajan and Morin teach the system of claim 8.  Natarajan and Morin do not explicitly disclose but Davidson discloses wherein the instructions are executable by the processor to detect that a first cluster of events is received due to the performance of the first operation and wherein the first cluster of events comprises a plurality of first events, and if the frequency of occurrence of the first event in response to performance of the first operation is greater than a first frequency threshold, the instructions are executable by the processor to: determine the first handling action for a first subset of the plurality of first events to be suppression; and determine the first handling action for a second subset of the plurality of first events to be allowing of the first event [“The system hook 126 is configured to selectively filter out certain of the events it receives based on application location information. The events received by the system hook 126 may be associated with a particular application based on the location information included in or associated with the events and the application location information. When an event is assigned to a particular application (i.e., determined to be directed to that application based on location information), the system hook 126 may apply filtering criteria assigned to that application to determine whether to pass the event to the application for processing or, alternatively, suppress the event such that it is not reported to the application.” ¶ 0041; “A single system hook may be used to filter out events for all or a subset of the displayed applications. Alternatively, each application may have its own system hook dedicated to filtering out events specific to that application.” ¶ 0109].
          It would have been obvious to one of ordinary skill in the art, having the teachings of Natarajan, Morin and Davidson available before the effective filing date of the claimed invention, to modify the capability of managing event traffic as disclosed by Natarajan and Morin to include the capability of selective reporting of received events as taught by Davidson, thereby providing a mechanism to enhance system efficiency and operability by providing an automated means to selectively identify and manage events thereby improving the ability to react to system anomalies.
Allowable Subject Matter
29.	Claims 10 and 11 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Response to Arguments
Claim Rejections - 35 USC § 101
30.	Applicant’s arguments have been fully considered and are persuasive.  The subject rejection has been withdrawn. 
Claim Rejections - 35 USC § 103
31.	Applicant’s arguments have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Conclusion
32.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
33.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM C WOOD whose telephone number is (571)272-5285. The examiner can normally be reached Monday - Friday, 8:00 am - 4:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat C Do can be reached on 571-272-3721. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/WILLIAM C WOOD/Examiner, Art Unit 2193                                                                                                                                                                                                        

/Chat C Do/Supervisory Patent Examiner, Art Unit 2193