DETAILED ACTION
Claims 1-21 are pending in this office action.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-21 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 
The limitation “each log message generated by the event sources” in claims 1, 8, 15 was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed.
The dependent claims 2-7, 9-14, 16-21 are rejected under the same reason as discussed in claims 1, 8, 15.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 7-8, 14-15, 21 are rejected under 35 U.S.C. 103 as being unpatentable over Luo et al (or hereinafter “Luo”) (US 20210149905) in view of Petersen et al (or hereinafter “Petersen”) (US 20160301561) and Pal et al (or hereinafter “Pal”) (US 20200364223).
As to claim 1, Luo teaches a method stored in one or more data-storage devices and executed using one or more processors of a computer system for storing and querying log messages generated by event sources in a distributed computing system (paragraphs 37, 107, 133, figs. 9-10), the method comprising: 
“storing each log message generated by the event sources in a live storage database” as storing log messages in a log file (paragraphs 37, 102), the log messages are generated by a program (paragraph 68).  The program is not the event sources.  The log file is represented as a live storage database;
bifurcating log messages of the live storage database into log patterns and metric objects (as dividing log messages of the log file into tokens or segments e.g., values 74 (figs, 2-3, abstract, paragraphs 47, 68, 83) as log patterns and tokens or segments e.g., keys 68 (figs. 2-3, paragraphs 47, 68,78, 103).  The keys are a sequence of values that includes numeric values (abstract; paragraph 9) are represented as metric objects. 
In particularly: the plurality of log messages is divided into a plurality of segments (page 11, col. Left: claim 10);
 “storing the log patterns in a log-pattern database and the metric objects in a time-series metric database” as storing tokens or segments e.g., non-numeric values or non-numeric expressions of variables as log patterns in non-numeric expression dictionary 34 as a log-pattern database (figs. 3, 6, paragraphs 68, 83, 97, 126) and tokens or segments e.g., keys in a dictionary 36 (figs. 3, 6, abstract, paragraphs 28, 77, 81, 103).  The dictionary 36 is not a time-series metric database.
In particularly: the plurality of log messages is divided into a plurality of segments (page 11, col. Left: claim 10).  A non-numeric expression dictionary 34 is used to store non-numeric expression of variables used by a program that generated the log messages 30 (paragraph 68).  The log-type dictionary and non-numeric expression dictionary store a list of segments that contain each log type and non-numeric expression, such segment lists of segments (paragraph 139);
 “retrieving log patterns from the log-pattern database and metric objects from the time- series metric database in response to a request for log messages in a query time interval” as obtaining non-numeric expressions of variables from the dictionary 34 for matching (paragraphs 107, 109) and log-type keys as metric objects from the dictionary 36 (paragraphs 107,110, 123, 129) in response to a query 180 for log messages (figs. 6-8, paragraphs 107-114, 126, 130) in a search phrase (paragraph 113).  The dictionary 36 is not the time-series metric database.  The query is not a query time interval.
In particularly: a non-numeric expression subquery 184 is executable on the non-numeric expression dictionary 34 to match non-numeric expressions of variables contained therein (paragraph 109). A log-type subquery 186 is executable on the log-type dictionary 36 to match log information contained therein, such as log message information that excludes expressions of variables and numeric values (paragraph 110). 
The instructions 174 may return all reconstructed log messages that match a search phrase, i.e., log messages that contain the search phrase as a substring (paragraph 114). 
For a given search phrase, the instructions 174 identify where matching elements may be stored. For instance, a search phrase that match with elements in the non-numeric expression dictionary 34 as that is where such elements are stored. A search phrase that matches with elements in the log-type dictionary 36 (paragraph 115).
 Results are obtained from subqueries in the form of segment identifiers and then applying the composition logic to obtain sets of segment identifiers. A numeric subquery 188 is assigned the set of segments 160 that contain at least one numeric value, which may be determined by searching a log-type dictionary 36 to determine which log types contain at least one numeric value. Log-type and non-numeric subqueries 186, 184 return respective sets of segments 160 from the respective dictionaries 36, 34 (paragraph 126);
For example, for the third search job*, two subqueries are performed in parallel. The first subquery returns a set S.sub.log type that contains the keys of the matching log types, and a set of segment identifiers S′.sub.log type. The second subquery returns a set S.sub.var that contains the keys of the matching non-numeric expressions and a set of segment identifiers S′.sub.var (paragraph 130);
reconstructing log messages from the log patterns retrieved from the log-pattern database and the metric objects retrieved from the time- series metric database (as reconstructing log messages (paragraphs 113-115, 126) from obtained  non-numeric expressions of variables from the dictionary 34 for matching (paragraphs 107, 109) and log-type keys as metric objects from the dictionary 36 (paragraphs 107,110, 123, 129) in response to a query 180 for log messages (figs. 6-8, paragraphs 107-114, 126, 130) in a search phrase (paragraph 113). The dictionary 36 is not the time- series metric database.
Luo does not explicitly teach the claimed limitations:
the event sources;
that exceed a time limit for storage in the live storage database;
 time-series metric database; 
a query time interval;
with time stamps in the query time interval.
Petersen teaches the claimed limitations:
“storing each log message generated by the event sources in a live storage database” as storing log messages in a log manager as a live storage database (paragraph 154).  The log messages are generated by event network platforms e.g., computers, computer servers, network devices (paragraphs 5, 88);
log messages of the live storage database that exceed a time limit for storage in the live storage database (as log messages of the log manager database that expires as exceed time-to-live as a time limit (paragraphs 125-126).  For example, a log may remain active for a certain period of time. After that period of time has passed, the log message may be written to an archive file. An exemplary interface for archive restoration or destruction is illustrated the archive restoration interface 220 of FIG. 14 (fig. 13, paragraph 148)); 
“a query time interval” as previous 60 days for searching as a query time interval (fig. 33, paragraph 187) or a selected time (e.g., 24 hours) as a query time interval (paragraph 160);
“retrieving log patterns in response to a request for log messages in a query time interval” as retrieving and displaying log source entity values and log source host values as log patterns in response to a request for log messages in a previous 60 day(s) as a query time interval (figs. 33-35, paragraphs 187-189);
“reconstructing log messages with time stamps in the query time interval” as retrieving or restoring log messages (paragraphs 146, 153) with time stamps in the query time interval e.g., 24 hours (figs. 17-18, 20-21 paragraphs 159-161) 
For example, a user of the log manager 203 may develop a rule that collects a particular type of log message. The log entries may be stored in original form, tagged with meta data, and assigned a “normal date” (e.g., a timestamp of the log entry date synchronized to a Standard Time, such as Mountain Standard Time). The log manager 203 may collect those log messages for a certain period of time and write those messages to archive files. The log messages may be retrieved (i.e., restored) for viewing thereafter (paragraph 146).
 For example, the view 331 provides a raw count of alarms generated within a selected time (e.g., 24 hours). The view 332, however, provides some general information pertaining to those alarms. For example, the view 332 may indicate that certain alarms are associated with suspicious sources activity, hostile remote activity (e.g., denial of service from external sites), and unauthorized accesses (e.g., file server monitoring) as designated by alarm rules. The view 333 provides even more information pertaining to alarms. For example, the view 333 may show the timestamp of a generated alarm, how the alarm relates to various events, and the associated activity as designated by the alarm rule (paragraph 160).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Petersen’s teaching to Luo’s system in order to reduce storage requirements for providing increased reporting capability and/or storage capability, to allow a user to easily and quickly launch new searches based on one or more metadata fields in a log message or event and further to  provide distributed archival for restoring log messages.
Pal teaches the claimed limitations:
“time-series metric database” as a data store that store events (paragraph 135)  that are derived from time-series data comprising a sequence of data points (e.g., performance measurements from a computer system) (paragraph 130).  For example data store 501 (fig. 5B) contains time-series buckets (paragraphs 212, 215). The data store is represented as time-series metric database;
 “retrieving log patterns from the log-pattern database and metric objects from the time-series metric database in response to a request for log messages in a query time interval” as in response to a request for events as log messages in a query time range such as today or yesterday (paragraphs 304-306, fig. 8A), retrieving extraction rules as log patterns from configuration file as log pattern database (paragraphs 277- 278, 295-297, fig. 7B) and retrieving field values .e.g., a plurality of numbers 127.0.01 stored in time-stamped events (fig. 7B) as the metric objects retrieved from a data store (paragraphs 305-306, fig. 8A) as time series metric database (paragraphs 130, 134).  
“reconstructing log messages with time stamps in the query time interval from the log patterns retrieved from the log-pattern database and the metric objects retrieved from the time-series metric database” as generating results e.g., events with timestamps in the query time range e.g., one-hour intervals from extraction rules retrieved from configuration file (paragraphs 277- 278, 295-297, figs. 7B, 8A) and field values .e.g., a plurality of numbers 127.0.01 stored in time-stamped events (fig. 7B) as the metric objects retrieved from a data store (paragraphs 305-306, fig. 8A) as time series metric database (paragraphs 130, 134).   Generating results e.g., events is not reconstructing log messages.
For example, in response to receiving the search query, search head 210 uses extraction rules to extract values for fields in the events being searched. The search head 210 obtains extraction rules that specify how to extract a value for fields from an event. Extraction rules can comprise regex rules that specify how to extract values for the fields corresponding to the extraction rules. In addition to specifying how to extract field values, the extraction rules may also include instructions for deriving a field value by performing a function on a character string or value retrieved by the extraction rule (paragraph 277).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Pal’s teaching to Luo’s system in order to allow analysts to quickly search and analyze large set of log messages to visually identify data subsets of interest and further to enable an individual bucket to be relatively quickly transmitted via a network without introducing excessive additional data storage requirements due to metadata.
As to claims 7, 14, 21, Luo, Pal and Petersen teach the claimed limitation “displaying reconstructed log messages with time stamps in the query time interval in graphical user interface” as displaying generated events with timestamps in the query range in a graphical user interface (Pal: fig. 8A, paragraphs 304-305).  The generated events are not reconstructed log messages.  Log messages are restored via graphical user interface (Petersen: paragraphs 146, 153, fig. 14).  The instructions 174 may return reconstructed log messages that match a search phrase, i.e., log messages that contain the search phrase as a substring (Luo: paragraph 114).

As to claim 8, Luo teaches computer system for storing and querying log messages generated by event sources in a distributed computing system, the system comprising: “one or more processors; one or more data-storage devices” as processor(s) 428; one or more computers (paragraphs 33-35); “machine-readable instructions stored in the one or more data-storage devices that when executed using the one or more processors controls the system to perform operations comprising” as instructions stored in one or more computers that when executed using a processor to perform operations (figs. 1-2, paragraphs 33-35).

As to claim 15, Luo teaches a non-transitory computer-readable medium encoded with machine-readable instructions that implement a method carried out by one or more processors of a computer system to perform operations comprising: (figs. 1-2, paragraphs 33-35).

Claims 3, 10, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Luo in view of Petersen and Pal and further in view of Peterson (or hereinafter “Peter”) (US 20210034497).
As to claims 3, 10, 17, Luo, Petersen, Pal teach the claimed limitations:
“wherein retrieving log patterns from the log-pattern database and metric objects from the time-series metric database in response to a request for log messages in a query time interval” as obtaining non-numeric expressions of variables from the dictionary 34 for matching (Luo: paragraphs 107, 109) and log-type keys as metric objects from the dictionary 36 (Luo: paragraphs 107,110, 123, 129) in response to a query 180 for log messages (Luo: figs. 6-8, paragraphs 107-114, 126, 130) in a search phrase (Luo: paragraph 113).  The dictionary 36 is not the time-series metric database.  The query is not a query time interval;
retrieving and displaying log source entity values and log source host values as log patterns in response to a request for log messages in a previous 60 day(s) as a query time interval (Petersen: figs. 33-35, paragraphs 187-189);
 In response to a request for events as log messages in a query time range such as today or yesterday as query time interval (Pal: paragraphs 304-306, fig. 8A); retrieving extraction rules as log patterns from configuration file as log pattern database (Pal: paragraphs 277- 278, 295-297, fig. 7B) and retrieving field values .e.g., a plurality of numbers 127.0.01 stored in time-stamped events (Pal: fig. 7B) as the metric objects retrieved from a data store (Pal: paragraphs 305-306, fig. 8A) as time series metric database (Pal: paragraphs 130, 134);
“receiving a query time interval via a user interface” as receiving a query time range as time interval via a user interface (Pal: fig.8A, paragraphs 304-306;  etersen: fig. 14);
“identifying metric objects in the time-series database with corresponding time stamps in the query time interval” as retrieving field values .e.g., a plurality of numbers 127.0.01 stored in time-stamped events (Pa: fig. 7B) as the metric objects retrieved from a data store (Pal: paragraphs 305-306, fig. 8A) as time series metric database (Pal: paragraphs 130, 134);  retrieving sets of segments from the dictionaries 34 and 36 in response to a query 180 for log messages (Luo: figs. 6-8, paragraphs 107-108, 126) in a search phrase (Luo: paragraph 113).  
Luo does not explicitly teach the claimed limitation “reading log IDs recorded in each of the metric objects; and retrieving a log pattern from the log-pattern database for each different log ID”.	
	Peter teaches the claimed limitations:
“reading log IDs recorded in each of the metric objects” as extracting he plurality of field identifiers 20 from the log record template 18-1 (paragraph 64) and field identifiers 20 from a log record template 18 (paragraphs 50, 69 fig. 10).  The log record templates that make up a number of percent of records are represented (paragraph 81) as metric objects.  The field identifiers of the log record templates are presented as log IDs;
“retrieving a log pattern from the log-pattern database for each different log ID” as retrieving from a log record 12 a log data item 24 as log pattern in the log record 12 that corresponds to the field identifier 20 as different log ID (paragraphs 53, 78). The log record that is stored in log file as log-pattern database (paragraph 30).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Peter’s teaching to Luo’s system in order to eliminate a need for a human to generate log record analysis instructions for each different version of a log record, and for each different written language in which a log record is created, saving time and costs associated with log record analysis and further to  increase storage space required to store log files, overutilizes finite network bandwidth.

Claims 4, 11, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Luo in view of Petersen and Pal and further in view of Kesarwani et al (or hereinafter “Ke”) (US 10235372).
As to claims 4, 11, 18, Luo does not explicitly teach the claimed limitations: 
“wherein reconstructing log messages with time stamps in the query time interval comprises: for each log pattern with a log ID that corresponds to at least one metric object with a time stamp in the query time interval, for each of the metric objects with the log ID, replacing placeholders in the log pattern with corresponding variable segments of the metric object to obtain a log message with a time stamp in the query time interval.”
Petersen teaches limitation “wherein reconstructing log messages with time stamps in the query time interval comprises: for each log pattern with a log ID that corresponds to at least one metric object with a time stamp in the query time interval, for each of the metric objects with the log ID, replacing placeholders in the log pattern with corresponding variable segments of the metric object to obtain a log message with a time stamp in the query time interval” as restoring log messages (paragraphs 146, 153) with time stamps in the query time interval e.g., 24 hours (figs. 17-18, 20-21 paragraphs 159-161) comprises: for each log source type as each log pattern with log source entity as log ID corresponds to count as metric object with timestamp in the 24 hours as the query time interval (figs. 17-18, 20-21 paragraphs 159-161); and retrieving and displaying log source entity values and log source host values in response to a request for log messages in a previous 60 day(s) as a query time interval (figs. 33-35, paragraphs 187-189) to   obtain log message with timestamp in the requested 24 hours or 60 days as the query time interval (paragraphs 159-161, 187-189).  The retrieving is not replacing.
Ke teaches the claimed limitation:
for each log pattern with a log ID that corresponds to at least one metric object, for each of the metric objects with the log ID, replacing placeholders in the log pattern with corresponding variable segments of the metric object to obtain a log message ( as reconstructing log messages as for each log template with template identifier as log ID that correspond to log data values as metric objects (col. 3, lines 30-47; col. 6, lines 20-67), for the log data values with template identifier, replacing template value placeholders in the log template with log data values that includes 500 and 30 as segments  to reconstruct log message (col. 3, lines 30-47; col. 6, lines 20-67; col. 12, lines 20-30).
For example, when retrieving a log message from storage, the log message may be reconstructed by obtaining log data values for replacing the template value placeholders in the log template and a template identifier from the log data store 118 and obtaining the log template from the log template data store 110 using the template identifier and inserting the log data values into the log template (col. 3, lines 40-47)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Petersen’s teaching and Ke’s teaching to Luo’s system in order to reconstruct a log message from the log message record and the template record in response to a request from a client and further to decrease an amount of storage needed to store a log message.

Claims 5-6, 12-13, 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Luo in view of Petersen and Pal and further in view of Yung et al (or hereinafter “Yung”) (US 20210263666).
As to claims 5, 12, 19, Luo, Petersen and Pal teach the claimed limitations “wherein reconstructing log messages with the time stamps in the query time interval comprises the query time interval” as retrieving or restoring log messages (Petersen: paragraphs 146, 153) with time stamps in the query time interval e.g., 24 hours (Petersen: figs. 17-18, 20-21 paragraphs 159-161).
For example, a user of the log manager 203 may develop a rule that collects a particular type of log message. The log entries may be stored in original form, tagged with meta data, and assigned a “normal date” (e.g., a timestamp of the log entry date synchronized to a Standard Time, such as Mountain Standard Time). The log manager 203 may collect those log messages for a certain period of time and write those messages to archive files. The log messages may be retrieved (i.e., restored) for viewing thereafter (Petersen: paragraph 146).  For example, the view 331 provides a raw count of alarms generated within a selected time (e.g., 24 hours). The view 332, however, provides some general information pertaining to those alarms. For example, the view 332 may indicate that certain alarms are associated with suspicious sources activity, hostile remote activity (e.g., denial of service from external sites), and unauthorized accesses (e.g., file server monitoring) as designated by alarm rules. The view 333 provides even more information pertaining to alarms. For example, the view 333 may show the timestamp of a generated alarm, how the alarm relates to various events, and the associated activity as designated by the alarm rule (Petersen: paragraph 160). 
A period of time e.g., Sep. 5, 2016 5:00 PM through Sep. 6, 2016 3:00 PM comprises 5 PM as a query time interval (Pal: paragraph 552)
Luo does not explicitly teach the claimed limitation
 the query time interval not overlapping a recent time interval for retaining log messages in the live storage database.
Yung teaches a current time stamp does not pass as not overlapping a re-tier timestamp for retaining objects in a tier as a live storage database (fig. 5, paragraphs 62-63).  The re-tier timestamp, which is determined repeatedly after sending a request to a server for moving objects from a tier to an archive tier at steps 508, 514 (fig. 5, paragraphs 62-63) is represented as a recent time interval. 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Yung’s teaching to Luo’s system in order to retrieve all events having a timestamp within a defined time period based on user’s request and allow for more efficient searching and to provide a way to transition these data objects back to the archive tier to preserve the cost efficiency of using an archival storage cloud.

As to claims 6, 13, 20, Luo, Petersen and Pal teach the claimed limitation wherein reconstructing log messages with time stamps in the query time interval comprises: reconstructing log messages with time stamps in a portion of the query time interval; and copying log messages with time stamps in a portion of the query time interval (as retrieving or restoring log messages (Petersen: paragraphs 146, 153) with time stamps in the query time interval e.g., 24 hours (Petersen: figs. 17-18, 20-21 paragraphs 159-161);
 reconstructing log messages (Luo: paragraphs 113-115, 126) from obtained  non-numeric expressions of variables from the dictionary 34 for matching (Luo: paragraphs 107, 109) and log-type keys as metric objects from the dictionary 36 (Luo: paragraphs 107,110, 123, 129) in response to a query 180 for log messages (Luo: figs. 6-8, paragraphs 107-114, 126, 130) in a search phrase (Luo: paragraph 113); and 
 generating results e.g., events with timestamps in the query time range e.g., one-hour intervals from extraction rules retrieved from configuration file (Pal: paragraphs 277- 278, 295-297, figs. 7B, 8A) and field values .e.g., a plurality of numbers 127.0.01 stored in time-stamped events (Pal: fig. 7B) as the metric objects retrieved from a data store (Pal: paragraphs 305-306, fig. 8A) as time series metric database (Pal: paragraphs 130, 134).   Generating results e.g., events is not reconstructing log messages.
Luo does not explicitly teach the claimed limitations:
that does not overlap a recent time interval for retaining log messages in the live storage database;
that overlaps with the recent time interval from the live storage database.
Yung teaches the limitations:
“a portion of the query time interval that does not overlap a recent time interval for retaining log messages in the live storage database” as a current time stamp does not pass as not overlap a re-tier timestamp for retaining objects in a tier as a live storage database (fig. 5, paragraphs 62-63).  The re-tier timestamp, which is determined repeatedly after sending a request to a server for moving objects from a tier to an archive tier at steps 508, 514 (fig. 5, paragraphs 62-63) is represented as a recent time interval;
“a portion of the query time interval that overlaps with the recent time interval from the live storage database” as current time stamp is or has passed as overlaps a re-tier timestamp from object tracker 322 in storage node 106 (fig. 3, paragraph 50) that is represented as live storage database.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Yung’s teaching to Luo’s system in order to retrieve all events having a timestamp within a defined time period based on user’s request and allow for more efficient searching and to provide a way to transition these data objects back to the archive tier to preserve the cost efficiency of using an archival storage cloud.

Claims 1, 4, 7-8, 11, 14-15, 18, 21 are rejected under 35 U.S.C. 103 as being unpatentable over Kesarwani et al (or hereinafter “Ke”) (US 10235372) in view of Petersen et al (or hereinafter “Petersen”) (US 20160301561) and Pal et al (or hereinafter “Pal”) (US 20200364223).
As to claim 1, Ke teaches a method stored in one or more data-storage devices and executed using one or more processors of a computer system for storing and querying log messages generated by event sources in a distributed computing system (fig. 9, col. 15, lines 30-67), the method comprising: 
“storing each log message generated by the event sources in a live storage database” as storing log messages that are generated by log statements (fig. 1A, col. 1, lines 15-30; col. 2, lines 1-30)  as event sources in data store 304 (col. 7, lines 60-65) or in log data store 204 (col. 6, lines 10-20).  The data store 304 or log data store 204 is represented as a live storage database;
bifurcating log messages of the live storage database into log patterns and metric objects (as parsing log messages of data store 204 or 304 for log templates and log data values (fig. 5C, col. 12, lines 30-50; col. 6, lines 60-67; col. 6, lines 60-67; col. 7, lines 1-30).  The log data values that are number e.g., 500 and 300 (col. 12, lines 20-30) is represented as metric objects.  The log templates are represented as log patterns);
“ storing the log patterns in a log-pattern database and the metric objects in a time-series metric database” as storing the log templates as the log patterns in the log template data store 306 as a log-pattern database 306 (col. 7, lines 1-7; col. 7, lines 49-51, col. 12, lines 52-67; fig. 5) and storing the log data values in archive data store 304 (fig. 5C, col. 3, lines 20-25; col. 7, lines 5-30) or in log data store 204 (col. 6, lines 10-20).  The data store 304 or log data store 204 is not  a time-series metric database.
Ke does not explicitly teach the claimed limitations:
that exceed a time limit for storage in the live storage database;
time-series metric database;
retrieving log patterns from the log-pattern database and metric objects from the time-series metric database in response to a request for log messages in a query time interval.
reconstructing log messages with time stamps in the query time interval from the log patterns retrieved from the log-pattern database and the metric objects retrieved from the time-series metric database.
Petersen teaches the claimed limitations:
“storing each log message generated by the event sources in a live storage database” as storing log messages in a log manager as a live storage database (paragraph 154).  The log messages are generated by event network platforms e.g., computers, computer servers, network devices (paragraphs 5, 88);
log messages of the live storage database that exceed a time limit for storage in the live storage database (as log messages of the log manager database that expires as exceed time-to-live as a time limit (paragraphs 125-126).  For example, a log may remain active for a certain period of time. After that period of time has passed, the log message may be written to an archive file. An exemplary interface for archive restoration or destruction is illustrated the archive restoration interface 220 of FIG. 14 (fig. 13, paragraph 148)); 
“a query time interval” as previous 60 days for searching as a query time interval (fig. 33, paragraph 187) or a selected time (e.g., 24 hours) as a query time interval (paragraph 160);
“retrieving log patterns in response to a request for log messages in a query time interval” as retrieving and displaying log source entity values and log source host values as log patterns in response to a request for log messages in a previous 60 day(s) as a query time interval (figs. 33-35, paragraphs 187-189);
“reconstructing log messages with time stamps in the query time interval” as retrieving or restoring log messages (paragraphs 146, 153) with time stamps in the query time interval e.g., 24 hours (figs. 17-18, 20-21 paragraphs 159-161) 
For example, a user of the log manager 203 may develop a rule that collects a particular type of log message. The log entries may be stored in original form, tagged with meta data, and assigned a “normal date” (e.g., a timestamp of the log entry date synchronized to a Standard Time, such as Mountain Standard Time). The log manager 203 may collect those log messages for a certain period of time and write those messages to archive files. The log messages may be retrieved (i.e., restored) for viewing thereafter (paragraph 146).
 For example, the view 331 provides a raw count of alarms generated within a selected time (e.g., 24 hours). The view 332, however, provides some general information pertaining to those alarms. For example, the view 332 may indicate that certain alarms are associated with suspicious sources activity, hostile remote activity (e.g., denial of service from external sites), and unauthorized accesses (e.g., file server monitoring) as designated by alarm rules. The view 333 provides even more information pertaining to alarms. For example, the view 333 may show the timestamp of a generated alarm, how the alarm relates to various events, and the associated activity as designated by the alarm rule (paragraph 160).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Petersen’s teaching to Ke’s system in order to reduce storage requirements for providing increased reporting capability and/or storage capability, to allow a user to easily and quickly launch new searches based on one or more metadata fields in a log message or event and further to  provide distributed archival for restoring log messages.
Pal teaches the claimed limitations:
“time-series metric database” as a data store that store events (paragraph 135)  that are derived from time-series data comprising a sequence of data points (e.g., performance measurements from a computer system) (paragraph 130).  For example data store 501 (fig. 5B) contains time-series buckets (paragraphs 212, 215). The data store is represented as time-series metric database;
 “retrieving log patterns from the log-pattern database and metric objects from the time-series metric database in response to a request for log messages in a query time interval” as in response to a request for events as log messages in a query time range such as today or yesterday (paragraphs 304-306, fig. 8A), retrieving extraction rules as log patterns from configuration file as log pattern database (paragraphs 277- 278, 295-297, fig. 7B) and retrieving field values .e.g., a plurality of numbers 127.0.01 stored in time-stamped events (fig. 7B) as the metric objects retrieved from a data store (paragraphs 305-306, fig. 8A) as time series metric database (paragraphs 130, 134).  
“reconstructing log messages with time stamps in the query time interval from the log patterns retrieved from the log-pattern database and the metric objects retrieved from the time-series metric database” as generating results e.g., events with timestamps in the query time range e.g., one-hour intervals from extraction rules retrieved from configuration file (paragraphs 277- 278, 295-297, figs. 7B, 8A) and field values .e.g., a plurality of numbers 127.0.01 stored in time-stamped events (fig. 7B) as the metric objects retrieved from a data store (paragraphs 305-306, fig. 8A) as time series metric database (paragraphs 130, 134).   Generating results e.g., events is not reconstructing log messages.
For example, in response to receiving the search query, search head 210 uses extraction rules to extract values for fields in the events being searched. The search head 210 obtains extraction rules that specify how to extract a value for fields from an event. Extraction rules can comprise regex rules that specify how to extract values for the fields corresponding to the extraction rules. In addition to specifying how to extract field values, the extraction rules may also include instructions for deriving a field value by performing a function on a character string or value retrieved by the extraction rule (paragraph 277).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Pal’s teaching to Ke’s system in order to allow analysts to quickly search and analyze large set of log messages to visually identify data subsets of interest and further to enable an individual bucket to be relatively quickly transmitted via a network without introducing excessive additional data storage requirements due to metadata.
As to claims 4, 11, 18, Ke and Petersen teach the claimed limitations: 
“ wherein reconstructing log messages with time stamps in the query time interval comprises:  for each log pattern with a log ID that corresponds to at least one metric object with a time stamp in the query time interval, for each of the metric objects with the log ID, replacing placeholders in the log pattern with corresponding variable segments of the metric object to obtain a log message” as restoring log messages (Petersen: paragraphs 146, 153) with time stamps in the query time interval e.g., 24 hours (Petersen: figs. 17-18, 20-21 paragraphs 159-161) comprises: for each log source type as each log pattern with log source entity as log ID corresponds to count as metric object with timestamp in the 24 hours as the query time interval (Petersen: figs. 17-18, 20-21 paragraphs 159-161); and retrieving and displaying log source entity values and log source host values in response to a request for log messages in a previous 60 day(s) as a query time interval (Petersen: figs. 33-35, paragraphs 187-189) to   obtain log message with timestamp in the requested 24 hours or 60 days as the query time interval (Petersen: paragraphs 159-161, 187-189).  The retrieving is not replacing.
reconstructing log messages as for each log template with template identifier as log ID that correspond to log data values as metric objects (Ke: col. 3, lines 30-47; col. 6, lines 20-67), for the log data values with template identifier, replacing template value placeholders in the log template with log data values that includes 500 and 30 as segments  to reconstruct log message (Ke: col. 3, lines 30-47; col. 6, lines 20-67; col. 12, lines 20-30).
For example, when retrieving a log message from storage, the log message may be reconstructed by obtaining log data values for replacing the template value placeholders in the log template and a template identifier from the log data store 118 and obtaining the log template from the log template data store 110 using the template identifier and inserting the log data values into the log template (Ke: col. 3, lines 40-47)).

As to claims 7, 14, 21, Ke, Petersen and Pal teach the claimed limitation “displaying reconstructed log messages with time stamps in the query time interval in graphical user interface” as displaying generated events with timestamps in the query range in a graphical user interface (Pal: fig. 8A, paragraphs 304-305).  The generated events are not reconstructed log messages.  Log messages are restored via graphical user interface (Petersen: paragraphs 146, 153, fig. 14).

As to claim 8, Ke teaches computer system for storing and querying log messages generated by event sources in a distributed computing system (fig. 9, col. 15, lines 30-67), the system comprising: “one or more processors; one or more data-storage devices” as processor(s) 428; one or more computers (fig. 4, col. 9, lines 4-25); “machine-readable instructions stored in the one or more data-storage devices that when executed using the one or more processors controls the system to perform operations comprising” as instructions stored in one or more computers that when executed using a processor to perform operations (col. 15, lines 30-67; col. 16, lines 1-25, figs. 4, 9).

As to claim 15, Ke teaches a non-transitory computer-readable medium encoded with machine-readable instructions that implement a method carried out by one or more processors of a computer system to perform operations comprising: (col. 15, lines 30-67; col. 16, lines 1-25, figs. 4, 9).

Claims 3, 10, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Ke in view of Petersen and Pal and further in view of Peterson (or hereinafter “Peter”) (US 20210034497).
As to claims 3, 10, 17, Ke, Petersen, Pal teach the claimed limitations:
“wherein retrieving log patterns from the log-pattern database and metric objects from the time-series metric database in response to a request for log messages in a query time interval” as in response to a request for events as log messages in a query time range such as today or yesterday as query time interval (Pal: paragraphs 304-306, fig. 8A); retrieving extraction rules as log patterns from configuration file as log pattern database (Pal: paragraphs 277- 278, 295-297, fig. 7B) and retrieving field values .e.g., a plurality of numbers 127.0.01 stored in time-stamped events (Pal: fig. 7B) as the metric objects retrieved from a data store (Pal: paragraphs 305-306, fig. 8A) as time series metric database (Pal: paragraphs 130, 134).  
Retrieving and displaying log source entity values and log source host values as log patterns in response to a request for log messages in a previous 60 day(s) as a query time interval (Petersen: figs. 33-35, paragraphs 187-189);
“receiving a query time interval via a user interface” as receiving a query time range as time interval via a user interface (Pal: fig.8A, paragraphs 304-306;  Petersen: fig. 14);
“identifying metric objects in the time-series database with corresponding time stamps in the query time interval” as retrieving field values .e.g., a plurality of numbers 127.0.01 stored in time-stamped events (Pa: fig. 7B) as the metric objects retrieved from a data store (Pal: paragraphs 305-306, fig. 8A) as time series metric database (Pal: paragraphs 130, 134),
Ke does not explicitly teach the claimed limitation “reading log IDs recorded in each of the metric objects; and retrieving a log pattern from the log-pattern database for each different log ID”.	
	Peter teaches the claimed limitations:
“reading log IDs recorded in each of the metric objects” as extracting he plurality of field identifiers 20 from the log record template 18-1 (paragraph 64) and field identifiers 20 from a log record template 18 (paragraphs 50, 69 fig. 10).  The log record templates that make up a number of percent of records are represented (paragraph 81) as metric objects.  The field identifiers of the log record templates are presented as log IDs;
“retrieving a log pattern from the log-pattern database for each different log ID” as retrieving from a log record 12 a log data item 24 as log pattern in the log record 12 that corresponds to the field identifier 20 as different log ID (paragraphs 53, 78). The log record that is stored in log file as log-pattern database (paragraph 30).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Peter’s teaching to Ke’s system in order to eliminate a need for a human to generate log record analysis instructions for each different version of a log record, and for each different written language in which a log record is created, saving time and costs associated with log record analysis and further to  increase storage space required to store log files, overutilizes finite network bandwidth.

Claims 5-6, 12-13, 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ke in view of Petersen and Pal and further in view of Yung et al (or hereinafter “Yung”) (US 20210263666).
As to claims 5, 12, 19, Ke, Petersen and Pal teach the claimed limitations “wherein reconstructing log messages with the time stamps in the query time interval comprises the query time interval” as retrieving or restoring log messages (Petersen: paragraphs 146, 153) with time stamps in the query time interval e.g., 24 hours (Petersen: figs. 17-18, 20-21 paragraphs 159-161).
For example, a user of the log manager 203 may develop a rule that collects a particular type of log message. The log entries may be stored in original form, tagged with meta data, and assigned a “normal date” (e.g., a timestamp of the log entry date synchronized to a Standard Time, such as Mountain Standard Time). The log manager 203 may collect those log messages for a certain period of time and write those messages to archive files. The log messages may be retrieved (i.e., restored) for viewing thereafter (Petersen: paragraph 146).  For example, the view 331 provides a raw count of alarms generated within a selected time (e.g., 24 hours). The view 332, however, provides some general information pertaining to those alarms. For example, the view 332 may indicate that certain alarms are associated with suspicious sources activity, hostile remote activity (e.g., denial of service from external sites), and unauthorized accesses (e.g., file server monitoring) as designated by alarm rules. The view 333 provides even more information pertaining to alarms. For example, the view 333 may show the timestamp of a generated alarm, how the alarm relates to various events, and the associated activity as designated by the alarm rule (Petersen: paragraph 160). 
A period of time e.g., Sep. 5, 2016 5:00 PM through Sep. 6, 2016 3:00 PM comprises 5 PM as a query time interval (Pal: paragraph 552).
Ke does not explicitly teach the claimed limitation the query time interval not overlapping a recent time interval for retaining log messages in the live storage database. Yung teaches a current time stamp does not pass  as not overlapping a re-tier timestamp for retaining objects in a tier as a live storage database (fig. 5, paragraphs 62-63).  The re-tier timestamp, which is determined repeatedly after sending a request to a server for moving an object from an tier to an archive tier at steps 508, 514 (fig. 5, paragraphs 62-63) is represented as a recent time interval. 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Yung’s teaching to Ke’s system in order to retrieve all events having a timestamp within a defined time period based on user’s request and allow for more efficient searching and to provide a way to transition these data objects back to the archive tier to preserve the cost efficiency of using an archival storage cloud.

As to claims 6, 13, 20, Ke, Petersen and Pal teach the claimed limitation wherein reconstructing log messages with time stamps in the query time interval comprises: reconstructing log messages with time stamps in a portion of the query time interval; and copying log messages with time stamps in a portion of the query time interval (as retrieving or restoring log messages (Petersen: paragraphs 146, 153) with time stamps in the query time interval e.g., 24 hours (Petersen: figs. 17-18, 20-21 paragraphs 159-161); and 
 generating results e.g., events with timestamps in the query time range e.g., one-hour intervals from extraction rules retrieved from configuration file (Pal: paragraphs 277- 278, 295-297, figs. 7B, 8A) and field values .e.g., a plurality of numbers 127.0.01 stored in time-stamped events (Pal: fig. 7B) as the metric objects retrieved from a data store (Pal: paragraphs 305-306, fig. 8A) as time series metric database (Pal: paragraphs 130, 134).   Generating results e.g., events is not reconstructing log messages.
Ke does not explicitly teach the claimed limitations:
that does not overlap a recent time interval for retaining log messages in the live storage database;
that overlaps with the recent time interval from the live storage database.
Yung teaches the limitations:
“a portion of the query time interval that does not overlap a recent time interval for retaining log messages in the live storage database” as a current time stamp does not pass as does not overlap a re-tier timestamp for retaining objects in a tier as a live storage database (fig. 5, paragraphs 62-63).  The re-tier timestamp, which is determined repeatedly after sending a request to a server for moving objects from a tier to an archive tier at steps 508, 514 (fig. 5, paragraphs 62-63) is represented as a recent time interval;
“a portion of the query time interval that overlaps with the recent time interval from the live storage database” as current time stamp is or has passed as overlaps a re-tier timestamp from object tracker 322 in storage node 106 (fig. 3, paragraph 50) that is represented as live storage database.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Yung’s teaching to Ke’s system in order to retrieve all events having a timestamp within a defined time period based on user’s request and allow for more efficient searching and to provide a way to transition these data objects back to the archive tier to preserve the cost efficiency of using an archival storage cloud.

Allowable Subject Matter
Claims 2, 9, 16, are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and if claims 2, 9, 16 overcome 112 rejection.






Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CAM-Y T TRUONG whose telephone number is (571)272-4042. The examiner can normally be reached (571) 272 4042.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Usmaan Saeed can be reached on (571) 272 4046. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CAM Y T TRUONG/           Primary Examiner, Art Unit 2169