Something like this: timestamp > now - and timestamp < now + So if the message is not in the future or too much in the past.
I tried to do this with pipelines, but I couldn't get a timestamp and add there a few seconds and couldn't check the time against the timestamp in the message. The idea with pipelines was to check and write a new field if the time isn't right and create a alarm that searches for this field
Try this pipeline rule, which insert new field if timestamp is lower or higher than 1 hour from server's time:
rule "check wrong timestamp"
when
parse_date(value: to_string($message.timestamp), pattern: "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'") - seconds(3600) > now() ||
parse_date(value: to_string($message.timestamp), pattern: "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'") + seconds(3600) < now()
then
//set_field("timestamp", now()); // uncomment if want to fix timestamp
set_field("timestamp_problem", "true");
end