Its a bit complicated query but let me explain.
One device=a start sending logs after 3 months. befor 3 months there was logs and LAST LOG/EVENT RECEIVED YESTERDAY.

So i want to see earliest, latest and difference between noew() and latest event.

dvc/host latestTime earliestTime daydiff
1 07/02/2019 09:40:55 04/04/2019 00:01:13 01/02/1970 07:27:59

below is my query:

index=xxx
| stats latest(_time) as latestTime, earliest(_time) as earliestTime by dvc
| convert ctime(latestTime) as latestTime, ctime(earliestTime) as earliestTime

and when I add below:

index=xxx
| stats latest(_time) as latestTime, earliest(_time) as earliestTime by dvc
| eval daydiff = (now()-latestTime)
| convert ctime(latestTime) as latestTime, ctime(earliestTime) as earliestTime, ctime(daydiff)

the daydiff field show the result = 01/01/1970