I think you have a TZ issue with your timestamping and your "nowish" events are showing up "in the future". To test this, the next time you forward a file, run your search for all time which is the only way to see events mis-timestamped into the future. There is also a log that shows this. You can confirm this sort of a problem with this search:
... | eval lagSeconds = _indextime - _time | stats avg(lagSeconds) by sourcetype,host,index
If the lagTime is negative, then you definitely have this problem.
... View more