The problem is that you need to identify the average, and the metadata command does not provide that information, or sufficient information to compute the average. Let's say that you want to derive the average time between events over the past 30 days to establish the threshold for each source; this could be a pretty expensive calculation if you have hundreds of sources and terrabytes of events.

There are a lot of possible approaches, but I would do this:

1. Every night, run a search that calculates the average time between events for the last 30 days. Have the search output that information into a lookup table.
2. On demand (or every 10 minutes or whatever), run a report that looks at the latest arrival time(s) for each source; compare that arrival time interval with the value looked up from the table. Take action as needed.

Assume that the csv would look like this, with the average arrival time listed in seconds:
source,avgArrivalTime
/var/log/message.log,85465
/var/log/web/access.log,93

The search to create the lookup table would be something like

index=* | fields + source | fields - _raw
| streamstats latest(_time) as latest_time by source window=1 current=f global=f
| eval delta = lastest_time - time
| stats avg(delta) as avgArrivalTime by source
| table source avgArrivalTime
| outputlookup app=t avgTime.csv

The search to identify the "missing" logs would be something like this

| tstats latest(_time) as lastEventTime where index=* by source
| eval timeDelay = now - lastEventTime
| lookup avgTime.csv source OUTPUT avgArrivalTime
| where timeDelay > (avgArrivalTime * 1.15)

The output of the second search is a list of sources where no new events have been indexed within the normal window + 15%
Of course there are lots of ways to do this, but hopefully this will give you a good start.