You can setup an alert to detect certain machines are having issues because they re-ingested logs again

Courtesy of DavidM of Austin.. Have fun! ---- Occasionally we have issues where a Windows installed collector will (re)forward old logs that occurred days ago. This typically happens if 1) the collector wasn't shut down cleanly or 2) the collector service gets hung and then is restarted. When this happens we get a flood of logs, we exceed our limit for the day, and then we can't find the culprit because the log times skewed (and I forget to check use receipt time). This query alerts me that certain host are sending OLD logs. (_sourceCategory=OS/Windows) (event_id=4624 or event_id=7036) | parse "TimeGenerated = \"*.000000-000\";" as timegenerated | toMillis(parseDate(timegenerated, "yyyyMMddHHmmss","etc/utc")) as timegenerated_epoch | _messagetime as messagetime_epoch | abs(timegenerated_epoch - messagetime_epoch) as delta | where delta > (1000 * 60) // 1 hour | count _sourcehost | sort _sourcehost asc | fields -_count