index="idx_tic_spectrum" (Creation_Date=* OR Acknowledged="true")
| transaction id keepevicted=true keeporphans=true
| search Severity!=Normal Severity!=Maintenance
| lookup spectrum_devices_dynamic.csv IP as Network_Address OUTPUT Owner
| search Owner="CEIP Reseau"
| eval ack_time_str = mvindex(Date,0)
| rex field=ack_time_str " (?<ack_hour>[0-9]{2}):[0-9]{2}:[0-9]{2}"
| rex field=Creation_Date " (?<begin_hour>[0-9]{2}):[0-9]{2}:[0-9]{2}"
| where begin_hour >= 8 and begin_hour <17
| eval ack_time = strptime(ack_time_str,"%Y-%m-%d %H:%M:%S")
| eval begin_day=if(begin_hour>=17,floor((_time+7200)/86400)+1,floor((_time+7200)/86400))
| eval begin_week_day = strftime(begin_day*86400,"%w") | eval begin_day = if(begin_week_day==0,begin_day+1,if(begin_week_day==6,begin_day+2,begin_day))
| where begin_week_day !=0 and begin_week_day!=6
| eval begin_week = floor((begin_day-3)/7)
| eval ack_day=if(ack_hour>=17,floor((ack_time+7200)/86400)+1,floor((ack_time+7200)/86400))
| eval ack_week_day = strftime(ack_day*86400,"%w") | eval ack_day = if(ack_week_day==0,ack_day+1,if(ack_week_day==6,ack_day+2,ack_day))
| eval ack_week = floor((ack_day-3)/7)
| eval begin_date = if(begin_hour>=17 OR begin_hour<8 OR begin_week_day==0 OR begin_week_day==6,begin_day*86400+21600,_time)
| eval ack_date = if(ack_hour>=17 OR ack_hour<8 OR ack_week_day==0 OR ack_week_day==6,ack_day*86400+21600,ack_time)
| eval diffday = ack_day-begin_day
| eval diffweek = ack_week-begin_week
| eval ack_duration = round((ack_date-begin_date)-(diffday*54000)-(diffweek*64800))
| search ack_duration!=0
| table Severity Alarm_Title _time ack_time_str ack_duration | eval ack_duration = tostring(ack_duration,"duration")
$field1.earliest$
$field1.latest$