Nightly, my organization puts a bunch of pieces of equipment into "maintenance mode" to do repairs and such on them. I've got a data source which records the state of a device (as either on or off) which looks similar to this:

| makeresults
| eval SEED_DATA = 
"4th Floor,Server,A123,ON|".
"4th Floor,Server,A123,OFF|".
"4th Floor,Server,A123,ON|".
"5th Floor,Computer,C234,ON|".
"6th Floor,Printer,M345,OFF|".
"6th Floor,Printer,M345,ON"
| eval SEED_DATA = split(SEED_DATA,"|")
| mvexpand SEED_DATA
| rex field=SEED_DATA "^(?<FLOOR>[^,]+),(?<DEVICE_TYPE>[^,]+),(?<DEVICE>[^,]+),(?<STATE>[^,]+)$"
| fields - SEED_DATA
| table _time FLOOR DEVICE_TYPE DEVICE STATE

I'm trying to write a macro that I can apply to any arbitrary log of device data, where the macro appends a TRUE/FALSE value to the current dataset in regards to whether that particular event occurred during a Maintenance period or not. For example, let's assume this is the data set I want to run my macro on:

| makeresults
| fields - _time
| eval SEED_DATA = 
"A123,".round(relative_time(now(),"-6h"),0)."|".
"C234,".round(relative_time(now(),"-8h"),0)."|".
"M345,".round(relative_time(now(),"-10h"),0)."|".
"S456,".round(relative_time(now(),"-12h"),0)."|".
"R567,".round(relative_time(now(),"-14h"),0)."|".
"W678,".round(relative_time(now(),"-16h"),0)
| eval SEED_DATA = split(SEED_DATA,"|")
| mvexpand SEED_DATA
| rex field=SEED_DATA "^(?<ZONE_DATA>[^,]+),(?<LATEST>.*)$"
| fields - SEED_DATA
| eval ZONE = substr(ZONE_DATA,0,1)
| eval EARLIEST = LATEST - 86400
| eval EARLIEST = tostring(strftime(EARLIEST, "%m/%d/%Y:%H:%M:%S")), LATEST = tostring(strftime(LATEST, "%m/%d/%Y:%H:%M:%S"))
| table ZONE_DATA ZONE EARLIEST LATEST

And, let's assume this is more or less what the macro looks like and does:

| multireport 
    [table *]
    [map search="search index=ZONE_DATA sourcetype=MAINTENANCE_INFO DEVICE_TYPE=computer DEVICE=\"$zone$*\" earliest=\"$earliest$\" latest=\"$latest$\"
    | fields _time DEVICE STATE
    | table _time DEVICE STATE 
    | sort 0 _time
    | eval COMBINE = _time.\"|\".STATE
    | table DEVICE COMBINE 
    | mvcombine COMBINE 
    | streamstats last(COMBINE) as LAST_COMBINE 
    | rex field=LAST_COMBINE \"^(?<LATEST_TIMESTAMP>[^|]+)\|(?<LATEST_STATUS>[^|]+)$\" 
    | eval STATUS_VALUE = if(LATEST_STATUS==\"ON\",1,0) 
    | eventstats avg(STATUS_VALUE) as PERCENTAGE_ON
    | stats values(PERCENTAGE_ON) as PERCENTAGE_ON
    | eval MAINTENANCE = if(PERCENTAGE_ON > 0.5, \"TRUE\", \"FALSE\")"]
| stats list(*) AS *

We can also assume this is more or less what the output looks like:

My question, essentially, is whether I'm going to end up with problems trying to scale out this solution. I'm aware that the map function is pretty resource intensive, but I'm not sure that I have another way of doing this without doing some very complicated work combining the two data streams and trying to figure out some other workaround.

I've considered making a summary index of the state of the various zones over time, so that every 5 mins I write a log statement to a summary index which states whether the zone is in maintenance mode or not. I'd still need to use a map command to check what the state of that zone was at the time I'm checking for, but at least the source of data for that map command would be smaller and less resource intensive to check. This might just be pushing the problem down the line, though.

Looking for any other thoughts regarding another way to do this, or some unlikely reassurance that map isn't going to break my environment if used this way.