Shows all hosts that are sending events with timestamps greater than 5 mins (300 seconds) from the current time.

| metadata type=hosts 
| where lastTime>now()+300
| eval mins_in_future=(lastTime-now())/60
| eval years_in_future=mins_in_future/60/24/365
| fieldformat lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S %Z")
| table lastTime, host, mins_in_future, years_in_future
| sort - mins_in_future