1. Good 🙂 2. Can't help you without a proper sample of events and description of desired outcome but it is possible that transaction is the only solution. It sometimes happens (the command is there for a reason after all ;-)). It's just that performance-wise it's often better to find another way for your search. Especially if it's gonna be invoked often and over a big set of data. If it's a one-off, not worth the effort probably. 3. For example something like that: index=whatever other=conditions earliest=-2d@d latest=-1d@d | <your evals, transactions and whatnot> | where _time<relative_time(now(),"-1d@d-6h") The last "where" command limits your results only to those that started not later than 6 hours before your "latest" parameter of the search. Which means that you're searching within a day - from -2d@d till -1d@d but later filter out 6 latest hours from this range
... View more
