Best practice is that all of your forwarders uses a synchronised time source, in many cases thats likely NTP or the Windows Time Service.

The problem with your question, is how would you trust what a UF thinks its time is vs what it really is.

You would be relying on the UF knowing two times - the real time, and its local time.
You could write a simple scripted input to query a known good time source like an ntp server, and write its result alongside your UF's local time into a logfile and configure your inputs.conf to collect both times so you could compare any drift (but you can expect a few ms difference between the two even on a perfectly synced system)

Then, there is your use of the dreaded phrase "real time". At the risk of running away on a tangent, take a look at this post for reasons why "real-time" in your use case is probably a bad idea.
https://answers.splunk.com/answers/734767/why-are-realtime-searches-disliked-in-the-splunk-w.html