Occasionally we have issues where a Windows installed collector will (re)forward old logs that occurred days ago. This typically happens if
the collector wasn’t shut down cleanly
the collector service gets hung and then is restarted. When this happens we get a flood of logs, we exceed our limit for the day, and then we can’t find the culprit because the log times skewed (and I forget to check use receipt time). This query alerts me that certain host are sending OLD logs.