Awesome. Thanks! Those were very helpful answers.

Transactions that entirely are in the third hour will be searched in the next scheduled execution. Transactions that had their "tail" in the first hour were already found by the previous scheduled execution.

You schedule a search for 2 */2 * * * or however long you want to wait for events to be present from distant systems, set the time range to -3h@h to @h, and build your search like this:

base search | transaction blah blah | search to make sure a transaction is complete | addinfo | where _time < relative_time(info_min_time, "+2h")

The last where is key. You search over three hours, assemble transactions, and then only keep transactions that started in the first two hours. As a result you get transactions whose "tail" is in the third hour.

In other words, it doesn't handle that.

Whether these "half transactions" are included in your results depends on the configuration of the transaction command and the available data. For example, if your transaction only has a start and end event then I'd say seeing only one of those would cause that transaction to be evicted and hidden unless explicitly shown with keepevicted=t.

To get around that you should always run overlapping transaction searches. Say you know a transaction is at most one hour long and you want to schedule a search every two hours over the previous two hours.