If your reboot windows are static you could build a lookup like this: host,reboot_start,reboot_end rebooting_1,2330,2345 rebooting_2,0100,0115 Only add hosts that have a rebooting window scheduled. Add the lookup to your data to allow searches like this: index=winevents (blah blah) | eval reboot_time = tonumber(strftime(_time, "%H%M")) | where isnull(reboot_start) OR reboot_time < reboot_start OR reboot_time > reboot_end | table blah Expressing hours and minutes of the day as numbers and comparing them numerically feels a little hacked, but should work. If your reboot times are dynamic you could build a search that regularly checks the past week for a reboot time window that happened at least six out of seven days and assume that as "okay" for the next day... that's entirely possible, but a bit more work to build, test, and verify. ... View more