screenshot 1 - is the output of some scheduled search which is categorised as sourcetype stash, and it has latency in _indextime.
Following is the search I used, which triggered output from screenshot2
| eval timediff=(_indextime-_time) | eval Hoursoff=round(timediff/3600) | search NOT Hoursoff=0 | rename _indextime as Indextime | eval Indextime=strftime(Indextime, “%d%m%y %H:%M:%S”) | eval Time=strftime(_time, “%d%m%y %H:%M:%S”) | dedup sourcetype | table Time, Indextime, Hoursoff, date_zone, host, sourcetype, source
... View more