are they a asleep? also, there is a built in concept of splay/delay so that all hosts never return results to the same query at the same time. lots of variables to think through.

It could certainly be the case that queries ran while hosts were offline, and then results sent when they came back online. The built in splay is +-10%, so that's likely not a huge factor here.

Anything pops out?

That all looks pretty standard, it sounds like the hosts were likely unable to send logs, then batched them together when they were. If other hosts were able to send during the time, it points to these specific hosts not being online.

Thank you very much