Ok, so here is my question

These 3 lines denote possible values for scheduled downtime

MSG WHEN DOWNTIME START

STARTED 
    SERVICE DOWNTIME ALERT: afakeci;Service Schedule;STARTED; Service has entered a period of scheduled downtime

CANCELLED
    SERVICE DOWNTIME ALERT: afakeci;Service Schedule;CANCELLED; Scheduled downtime for service has been cancelled.

STOPPED
    SERVICE DOWNTIME ALERT: afakeci;Service Schedule;STOPPED; Service has exited from a period of scheduled downtime

Then i have my SPL looking for something

index="test" earliest=-1h
    AND
    ( 
        ( eventname="SERVICE NOTIFICATION" AND status_code=CRITICAL ) OR 
        ( eventname="PASSIVE SERVICE CHECK" AND state=2 )   
        AND ( service_name="CPU utilization" OR 
        service_name="Memory and pagefile*" OR
        service_name="Filesystem*" OR 
        service_name="Service*" OR 
        service_name="File*") )
    OR
    ( eventname="HOST NOTIFICATION" AND status_code="DOWN" )    
| eval service_name=if( eventname=="HOST NOTIFICATION" , "ICMP request (PING)" , service_name )
| eval status_code=if( eventname=="PASSIVE SERVICE CHECK" , "CRITICAL" , status_code )
| eval nagios_timestamp=timestamp
| convert ctime(nagios_timestamp)
| eval alert_seed=status_code.".".host_name.".".service_name

What i want to do is:

IF my SPL found a event then
Execute second query to find during the last hour at least one ocurrence of downtime with status != of STARTED:

index="test" host_name=afakeci earliest=-1 eventname="SERVICE DOWNTIME ALERT" ( "CANCELLED" OR "STOPPED" ) | stats count

In this case means that maintanence mode finished and the alert is real then i can raise alert
ELSE
Finish the execution

I was checking for cmds "transaction", "search" ... and did not found a solution yet =(