* | formatDate(fromMillis(_receipttime), "MM/dd/
HH:mm:ss:SSS") as receipt
You can further expand this query to give you a count in minutes between the two times, sorted by Collector and Source, to quickly determine which sources may need a configuration update or further review. Only run the following query for the most recent 15 minute time range. Since this will query all log data you have submitted, it will take some time to complete.
* | formatDate(fromMillis(_receipttime), "MM/dd/yyyy HH:mm:ss:SSS") as receipt
| _receiptTime - _messageTime as delay
| delay / 60000 as delayInMinutes
| toInt(delayInMinutes) as delayInMinutes
| avg(delayInMinutes) as avgDelayInMinutes, min(delayInMinutes) as minDelayInMinutes, max(delayInMinutes) as maxDelayInMinutes by _collector, _source, _sourceName