DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over US10505825 to Bettaiah et al. in view of US 20210089377 A1 to Wang et al. and “Unsupervised learning” by Wikipedia.
Referring to claim 1, Bettaiah discloses an alert cluster generation apparatus comprising one or more processors and one or more memories storing instructions that are operable, when executed by the one or more processors, to cause the alert cluster generation apparatus to:
access an alert set associated with one or more service events; apply a feature extraction model that is configured to extract alert features from the alert set (From column 225, “At block 90826, processing actions that create notable events, such as correlation searches, are performed. In one embodiment, the processing of block 90826 may be part of the ongoing operation of a service monitoring system (SMS) largely irrespective of, and possibly without any special accommodation for, automated event groups. Processing of such an embodiment described here is given to illustrate an operating context. In such an embodiment, the SMS 90854 accesses machine data of an machine data event data store 90852, possibly in conjunction with an event processing system, to produce a collection of KPI values for one or more key performance indicators (KPI) reflecting the performance of one or more services as may be provided by an IT environment, for example. Processing of block 90826, such as the execution of a correlation search, may utilize data such as the KPI data of 90856 to monitor and assess system performance and to create records of notable events related thereto. Data store 90814 represents a collection of such notable events. Operations of SMS 90854, including the processing of block 90826, in one embodiment is controlled or directed, at least in part, by the command/control/configuration information of a CCC data store such as 90812. Such operations may be automatic and ongoing without any substantial user interaction as indicated by the circular arrow appearing at the corner of block 90826. Many figures, details, and descriptive matter regarding event data stores, service monitoring systems, key performance indicators, notable events, and correlation searches is easily found elsewhere in this detailed description and will not be repeated here.”);
apply an alert clustering model to group alerts of the alert set into one or more alert clusters based at least in part on the alert features (From column 226-227, “The processing of block 90828 as now described begins from a context where one or more event group policies, such as EGP1 90813, are created, active, and enabled, and SMS processing has been, and may be, producing a collection of notable events, such as 90814. The processing of block 90828, in one embodiment, uses group membership criteria information of an event group policy to identify matching notable events and to make a record of the existence and membership of event groups. In one embodiment, the existence of a group is reflected in computer storage as an event group description instance, for example Group 1 instance 90817 of event groups data 90816. In one embodiment, at least one event group description instance exists for each event group policy defined in CCC data store 90812, even where the group is empty (i.e., has no member events). In one embodiment, an event group description instance is created in 90816 when a first member event is identified for the group by the processing of 90828. In one embodiment, all event group description instances that are created are retained as a historical record, possibly subject to deletion in accordance with the retention policy. In one embodiment, an event group description instance is deleted in response to a termination or deactivation event for the group or all of its member events. These and other embodiments are possible. An event group description instance, such as 90817, provides a representation of the group as a singular, identifiable object, and a collective representation for the multiple, individual events that may belong to the group. In its capacity to provide a collective representation, an event group description instance may contain little, much, or all of the information or categories of information that commonly describe or apply to each of the individual member events. Embodiments may vary as to the distribution and replication of information common to the group/members. The collective representation provided by an event group description instance may stand in contrast to the individual representation provided by a stored representation of individual notable events in 90814. In one embodiment, the processing of 90828 identifies notable events for membership in an event group according to an event group policy by performing a search of notable events 90814 using criteria determined, at least in part, by information in an event group policy. In one embodiment, the notable events of 90814 are maintained in an event index of an event processing system (EPS) and the SMS may utilize the search capabilities of the underlying EPS to perform the search of 90828 to identify member events. In one embodiment, the notable events of 90814 are maintained by the SMS apart from an EPS. In one embodiment, the processing of 90828 evaluates each notable event as it is created by 90826 and ascertains any group membership at that time. In one embodiment, the new membership of a notable event in a notable event group is reflected in a stored representation of each such notable event as in, for example, notable event store 90814. In one embodiment, the membership of a notable event in a notable event group is logically organized together with other group information in an event group description instance such as 90817. These and other embodiments are possible.”);
cause rendering of an alert cluster list interface to a user device display, wherein the alert cluster list interface comprises an alert cluster engagement component associated with at least one of the one or more alert clusters (From column 236 (with emphasis), “FIG. 34ZD9 depicts a user interface example including aspects related to automated event group processing. Such an interface may be useful in relation to the command console and reporting processing block 90836 of FIG. 34ZD1. Such an interface may report to the SMS user summary information about notable events and/or groups thereof, and may report detail information about a particular notable event or group thereof. In the present context of explaining automated event group processing embodiments of an SMS, this discussion of the notable events review interface of FIG. 34ZD9 emphasizes event groups over individual events, though one of skill will recognize that information for groups and for individual events may be intermixed in an embodiment. The user interface display 91600 is shown to include application header area 91610, information and options area 91620, notable events/groups list component 91630, and notable event/group detail component 91650. Application header area 91610 is shown to include slide out lister control 91611, the title “Grouped Notable Events”, timeframe selection element 91612, “Save as” action button 91614, and “Save” action button 91616. Timeframe selection element 91612 is an interactive selection component enabling a user to select a timeframe option from a drop-down list that limits, filters, or selects the notable event data that may be included in the report display. Information and options area 91620 is shown to include a count of the events/groups available for viewing via the interface presently 91622, an indication of one or more filter criteria 91624 use to limit, filter, or select the notable event data included for the report display, and “Show Timeline” action element 91624 enabling a user to indicate the selection of an alternate display mode for the event/group data, for example, a timeline presentation rather than a simple list format. Notable events/groups list component 91630 is shown to include a list header area having a sort indicator/selection element 91632 enabling a user to select a sort order for the displayed information, and refresh action element 91634 enabling a user to indicate to the computing machine and resultingly cause a refresh of the data underlying the display and of the display itself. Notable events/groups list component 91630 is shown to further include individual notable event/group list entries of which 91640 is an example. Notable event/group list entry 91640 is the list entry for an event group created in accordance with an event group policy definition. Notable events/group list entry 91640 is shown to include: an indicator 91642 displaying the number of individual events that are members of the group; a title, “Alert on itsi.backfill_services at 147 . . . ”, as may have been determined in view of event group policy definition information populated as a result of user interaction with element 91212 of interface 91200 of FIG. 34ZD5; a group time frame or time span indicator 91644 as may be recorded in an embodiment as part of an event group description instance for the group as part of the processing of block 90828 of FIG. 34ZD1; a severity indicator, “Critical”, as may have been determined in view of event group policy definition information populated as a result of user interaction with element 91216 of interface 91200 of FIG. 34ZD5; a status indicator, “New”; and a description, “Subcomponent [itsi_backfill] [do_run] [19856]”, as may have been determined in view of event group policy definition information populated as a result of user interaction with element 91214 of interface 91200 of FIG. 34ZD5.”); and
cause common action to each alert of the one or more alert clusters in response to user engagement with the alert cluster engagement component (For example, from column 198-199, “FIG. 34W illustrates an example of a GUI presenting options for actions that may be taken for a corresponding notable event produced as a result of a correlation search, in accordance with one or more implementations of the present disclosure. If the creation of a ticket was not configured to be the action resulting from a correlation search, a ticket can be created from any notable event that was previously created through the Incident Review interface. In another implementation, a ticket can be created from any notable event in the Incident Review interface, even if the creation of another ticket was configured as part of the correlation search. As described above, when actions column 34577 for a particular notable event entry in results section 34570 of GUI 34550 is selected, a number of action options are displayed. In one implementation, the action options additionally include “create ServiceNow ticket” 34718. Selection of option 34718 may create a single ticket for the selected notable event(s). In one implementation, selection of option 34718 causes display of modal window 34720 which contains the configuration options for creating an incident ticket, as shown in FIG. 34X, or for creating an event ticket, as shown in FIG. 34Y. In one implementation, the configuration options are the same as the options illustrated in FIG. 34U and FIG. 34V, respectively.” Further, from column 237, “Notable event/group detail component 91650 is shown to include detail header area 91660 and tabbed display area 91670. Detail header area 91660 is shown to include the event group title 91662 and the event group time frame or time span 91664. Tabbed display area 91670 is shown to include: tab controls area 91672 including an “Overview” active tab control 91674, a “Grouped Events” inactive tab control 91675, a “Comments” inactive tab control 91676, and an “Activity” inactive tab control 91678; a description information area 91682 including the group description, a count of the events in the group, the title of the associated event group policy definition as an interactive element for navigating to the display of event group policy definition information, and a color-coded list of the counts of group events by severity; a tickets information area 91684 including a list of trouble tickets associated with the group or the member events thereof; a Contributing KPIs information area 91686 including a list of KPIs contributing to the member events of the group (none shown), each possibly presented as an interactive element for navigating to the display of related and/or more detailed KPI data/information, and including an interactive element for navigating to a deep dive display populated with the KPIs of the list; and a Possible Affected Services information area 91688 including a list of services potentially impacted in light of the notable events of the group, each presented as an interactive element for navigating to the display of other service data/information, and including an interactive element for navigating to a deep dive display populated with the services of the list. User interaction with “Grouped Events” tab control 91675 in one embodiment may result in the transition of the display of tabbed display area 91670 to a display of grouped events information as next shown and discussed in relation to FIG. 34ZD10.”).
Although Bettaiah does not specifically disclose the use of vector transformations from the alert set, this is known in the art. In a related field of computing, an example of this is shown by US 20210089377 A1 to Wang et al. Paragraph 27, “The messages may be processed to remove less relevant information from each message. For example, in some aspects, the messages are processed to remove field labels, punctuation, or other less relevant information. A vector is then generated based on content of messages assigned to a message block. As additional messages are assigned to a particular block, the vector for the message block is regenerated.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to vectorize data because, as shown by Wang, paragraph 30, “Thus, the disclosed embodiments provide for improved response time in addressing network or distributed system issues. By projecting messages within a block into a vector space, similar issues may be associated such that common root causes and/or remedial actions may be identified.”
Although Bettaiah does not specifically disclose the clustering model is an unsupervised machine learning model, this is known in the art. In a related field of computing, an example of this is shown by Wikipedia, from page 1, “Unsupervised learning, is paradigm in machine learning where, in contrast to supervised learning and semi-supervised learning, algorithms learn patterns exclusively from unlabeled data.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention because, as shown by Wikipedia, this allows the algorithm to learn from unlabeled data. Further, from page 4, “Cluster analysis is used in unsupervised learning to group, or segment, datasets with shared attributes in order to extrapolate algorithmic relationships. Cluster analysis is a branch of machine learning that groups the data that has not been labelled, classified or categorized. Instead of responding to feedback, cluster analysis identifies commonalities in the data and reacts based on the presence or absence of such commonalities in each new piece of data. This approach helps detect anomalous data points that do not fit into either group.”
Referring to claim 2-4, Bettaiah and Wang and Wikipedia discloses wherein the alert cluster list interface comprises an alert cluster bulk action component associated with at least one of the one or more alert clusters, further comprising causing rendering of the alert cluster bulk action component to the user device display in association with the one or more alert clusters, wherein the one or more processors and one or more memories storing instructions are further operable, when executed by the one or more processors, to cause the alert cluster generation apparatus to: generate one or more recommended actions based on at least one of the one or more alert clusters, and cause, based on the one or more recommended actions, the common action to each alert of the one or more alert clusters in response to user engagement with the alert cluster bulk action component (Bettaiah, for example, from column 198-199, “FIG. 34W illustrates an example of a GUI presenting options for actions that may be taken for a corresponding notable event produced as a result of a correlation search, in accordance with one or more implementations of the present disclosure. If the creation of a ticket was not configured to be the action resulting from a correlation search, a ticket can be created from any notable event that was previously created through the Incident Review interface. In another implementation, a ticket can be created from any notable event in the Incident Review interface, even if the creation of another ticket was configured as part of the correlation search. As described above, when actions column 34577 for a particular notable event entry in results section 34570 of GUI 34550 is selected, a number of action options are displayed. In one implementation, the action options additionally include “create ServiceNow ticket” 34718. Selection of option 34718 may create a single ticket for the selected notable event(s). In one implementation, selection of option 34718 causes display of modal window 34720 which contains the configuration options for creating an incident ticket, as shown in FIG. 34X, or for creating an event ticket, as shown in FIG. 34Y. In one implementation, the configuration options are the same as the options illustrated in FIG. 34U and FIG. 34V, respectively.” Further, from column 237, “Notable event/group detail component 91650 is shown to include detail header area 91660 and tabbed display area 91670. Detail header area 91660 is shown to include the event group title 91662 and the event group time frame or time span 91664. Tabbed display area 91670 is shown to include: tab controls area 91672 including an “Overview” active tab control 91674, a “Grouped Events” inactive tab control 91675, a “Comments” inactive tab control 91676, and an “Activity” inactive tab control 91678; a description information area 91682 including the group description, a count of the events in the group, the title of the associated event group policy definition as an interactive element for navigating to the display of event group policy definition information, and a color-coded list of the counts of group events by severity; a tickets information area 91684 including a list of trouble tickets associated with the group or the member events thereof; a Contributing KPIs information area 91686 including a list of KPIs contributing to the member events of the group (none shown), each possibly presented as an interactive element for navigating to the display of related and/or more detailed KPI data/information, and including an interactive element for navigating to a deep dive display populated with the KPIs of the list; and a Possible Affected Services information area 91688 including a list of services potentially impacted in light of the notable events of the group, each presented as an interactive element for navigating to the display of other service data/information, and including an interactive element for navigating to a deep dive display populated with the services of the list. User interaction with “Grouped Events” tab control 91675 in one embodiment may result in the transition of the display of tabbed display area 91670 to a display of grouped events information as next shown and discussed in relation to FIG. 34ZD10.”).
Referring to claims 5-6, Bettaiah and Wang and Wikipedia discloses wherein the one or more processors and one or more memories storing instructions are further operable, when executed by the one or more processors, to cause the alert cluster generation apparatus to: cause rendering of an alert cluster detail interface associated with the at least one of the one or more alert clusters upon receiving a user engagement indication associated the alert cluster engagement component; wherein the alert cluster detail interface comprises an alert cluster pattern interface component that is configured to visually depict alert analytics associated with the at least one of the one or more alert clusters (Bettaiah, from column 237, “Notable event/group detail component 91650 is shown to include detail header area 91660 and tabbed display area 91670. Detail header area 91660 is shown to include the event group title 91662 and the event group time frame or time span 91664. Tabbed display area 91670 is shown to include: tab controls area 91672 including an “Overview” active tab control 91674, a “Grouped Events” inactive tab control 91675, a “Comments” inactive tab control 91676, and an “Activity” inactive tab control 91678; a description information area 91682 including the group description, a count of the events in the group, the title of the associated event group policy definition as an interactive element for navigating to the display of event group policy definition information, and a color-coded list of the counts of group events by severity; a tickets information area 91684 including a list of trouble tickets associated with the group or the member events thereof; a Contributing KPIs information area 91686 including a list of KPIs contributing to the member events of the group (none shown), each possibly presented as an interactive element for navigating to the display of related and/or more detailed KPI data/information, and including an interactive element for navigating to a deep dive display populated with the KPIs of the list; and a Possible Affected Services information area 91688 including a list of services potentially impacted in light of the notable events of the group, each presented as an interactive element for navigating to the display of other service data/information, and including an interactive element for navigating to a deep dive display populated with the services of the list. User interaction with “Grouped Events” tab control 91675 in one embodiment may result in the transition of the display of tabbed display area 91670 to a display of grouped events information as next shown and discussed in relation to FIG. 34ZD10.”).
Referring to claims 7-8, Bettaiah and Wang and Wikipedia discloses ranking alerts of the alert set into a ranked sequence based at least in part on the alert features; wherein ranking alerts of the alert set into an updated ranked sequence based at least in part on the one or more alert features and alert feedback received from an alert manager device (Bettaiah, from column 236 (with emphasis), “FIG. 34ZD9 depicts a user interface example including aspects related to automated event group processing. Such an interface may be useful in relation to the command console and reporting processing block 90836 of FIG. 34ZD1. Such an interface may report to the SMS user summary information about notable events and/or groups thereof, and may report detail information about a particular notable event or group thereof. In the present context of explaining automated event group processing embodiments of an SMS, this discussion of the notable events review interface of FIG. 34ZD9 emphasizes event groups over individual events, though one of skill will recognize that information for groups and for individual events may be intermixed in an embodiment. The user interface display 91600 is shown to include application header area 91610, information and options area 91620, notable events/groups list component 91630, and notable event/group detail component 91650. Application header area 91610 is shown to include slide out lister control 91611, the title “Grouped Notable Events”, timeframe selection element 91612, “Save as” action button 91614, and “Save” action button 91616. Timeframe selection element 91612 is an interactive selection component enabling a user to select a timeframe option from a drop-down list that limits, filters, or selects the notable event data that may be included in the report display. Information and options area 91620 is shown to include a count of the events/groups available for viewing via the interface presently 91622, an indication of one or more filter criteria 91624 use to limit, filter, or select the notable event data included for the report display, and “Show Timeline” action element 91624 enabling a user to indicate the selection of an alternate display mode for the event/group data, for example, a timeline presentation rather than a simple list format. Notable events/groups list component 91630 is shown to include a list header area having a sort indicator/selection element 91632 enabling a user to select a sort order for the displayed information, and refresh action element 91634 enabling a user to indicate to the computing machine and resultingly cause a refresh of the data underlying the display and of the display itself. Notable events/groups list component 91630 is shown to further include individual notable event/group list entries of which 91640 is an example. Notable event/group list entry 91640 is the list entry for an event group created in accordance with an event group policy definition. Notable events/group list entry 91640 is shown to include: an indicator 91642 displaying the number of individual events that are members of the group; a title, “Alert on itsi.backfill_services at 147 . . . ”, as may have been determined in view of event group policy definition information populated as a result of user interaction with element 91212 of interface 91200 of FIG. 34ZD5; a group time frame or time span indicator 91644 as may be recorded in an embodiment as part of an event group description instance for the group as part of the processing of block 90828 of FIG. 34ZD1; a severity indicator, “Critical”, as may have been determined in view of event group policy definition information populated as a result of user interaction with element 91216 of interface 91200 of FIG. 34ZD5; a status indicator, “New”; and a description, “Subcomponent [itsi_backfill] [do_run] [19856]”, as may have been determined in view of event group policy definition information populated as a result of user interaction with element 91214 of interface 91200 of FIG. 34ZD5.”).
Referring to claims 9-20 see rejection of claims 1-8 above.
Response to Arguments
Applicant's arguments filed 29 December 2025 have been fully considered but they are not persuasive.
Regarding Applicant’s argument (page 8) that the Bettaiah and Wang fails to disclose unsupervised machine learning, see rejection above.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GABRIEL L CHU whose telephone number is (571)272-3656. The examiner can normally be reached weekdays 8 am to 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashish Thomas can be reached at (571)272-0631. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/GABRIEL CHU/Primary Examiner, Art Unit 2114