This query will show any clustered indexers that are currently in maintenance mode. For it to work as an alert you will need to schedule it. It will not work if you run it in real time.

sourcetype=splunkd reason="'Maintenance mode*" 
| dedup host 
| eval maintenance_mode_enabled=if(reason="'Maintenance mode started'", "true", "false") 
| where maintenance_mode_enabled="true" 
| table _time, host, reason, maintenance_mode_enabled