Timestamp vs Indextime of Events (Diagnostic Query)

This query has in the past help me track down issues between forwarders and indexers, and even on occasion finding some time sync issues. Feel free to tweak, modify, and improve upon this query as I'm not 100% certain the math will work in your favor outside of highlighting (positive or negative) time differences!

index=* |eventstats max(_time) as MAXt max(_indextime) as MAXit by host|eval timediff=round(MAXt - MAXit)| convert ctime(MAXit) as idxtime ctime(MAXt) as Date |dedup timediff host | table idxtime Date timediff host | sort - timediff | rename Date as "Timestamp of Event" idxtime as "Index Time Timestamp"