This is the very, very low tech way of handling this - and it does not scale well - but you could always have multiple copies of the same scheduled search/alert.
It looks like it would take three cron entries:
cron_schedule=40-59 00 * * *
cron_schedule=* 1-2 * * *
cron_schedule=00-20 02 * * *
Note I'm assuming that Splunk's crontab is as flexible as Vixie cron - which it should be.
... View more