detect time problem : (index time and time being really different)

sourcetype=*
| eval diff=_indextime-_time| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
| table indextime _time diff sourcetype
| where lat!=0
| timechart avg(diff) max(diff) by sourcetype

purpose:

requirements:

comments:

this search simply graph the time difference between the event time and the indexing time by sourcetype : this helps troubleshoot sourcetypes time issues.