Hi everybody I'm going crazy because of a "timeproblem" which sounds not hard to handle, but i don't get it... My hopes are one of you can help me. I have plenty of User-Logs with a timestamp. The goal is to find suspicious user behavior like user-actions during a specific time. First I have to define the "normal" time a user is working. This time-interval has to be between 19:00 day1 and 07:00 day2. My problem here is that the command "earliest" is not really useful, because if someones first action is 23:00 and the last action is 01:00 it will give me 01:00 as an earliest-output and 23:59 as his latest. Example: Day1: first action-19:00 last action-2030 Day2: first action-20:00 last action-2200 Day3: first action-23:00 last action-0100 Day4: first action-01:00 last action-0130 The "normal" first action would be the average of the first action: 21:45 The "normal" last action would be the average of the last action: 23:30 My first problem is to define a time-interval which starts at 19:00 day1 and ends 07:00 day2 My second problem is that i don't know how to write the search to get a list like the one in the example. Thanks for answering, redlose ... View more