You can very easily add these to your tstats searches. For example..
| tstats min(_time) as earliest_time, max(_time) as latest_time WHERE earliest=-30d@d latest=+1y@y by index sourcetype
| eval daysOfLogs=round((latest_time - earliest_time)/60/60/24, 2)
| eval eventsInFuture=if(latest_time > now(), "yes", "no")
| eval tnow = now()
| convert ctime(*time)
| convert ctime(tnow)
You can very much add earliest and latest time boundaries in tstats with the WHERE clause, and you can update BY clause to include any of the indexed fields ( _time, source, sourcetype, host.) Additionally, tstats doesn't show the indexed time, it shows the parsed event time as searched for with min and max and the default behavior is to use the timerange picker's earliest and latest, which is why you wont see future events by default.
Try the above search in your environment.
... View more