| rex "(?<maint_start>start of maintenance)" | rex "(?<maint_end>end of maintenance)" | stats list(eval(if(isnotnull(maint_start), _time, null) as maint_starts list(eval(if(isnotnull(maint_end), _time, null) as maint_ends by host | eval maint_period=mvzip(maint_starts,maint_ends,",") | mvexpand maint_period | rex "(?<maint_start>\d+)\s*,\s*(?<maint_end>\d+)," | eval duration=maint_end-maint_start, _time=maint_start | fillnull value="MAINTENANCE ONGOING" duration maint_end Maybe something like this to get the maintenance timeframes and durations? And then use those results with an append or join to filter out the alert timeframes. You could also write the maintenance periods into a lookup file and then use that to filter out the timeframes that fall into maintenance windows.
... View more