You might want to have a warning "If you do this it will take a really long time unless you upgrade to a t2.medium blah." My vpc flow logs often run into the 26M/day and would be nice to put in a day's worth if I could run it over night. I don't mind upgrading to higher level instances.
P.S. Great tool. Laser focused and I don't have to have 10,000 instances of elastic search.
Just to test, I ran a job just now and saw traffic to an instance we hadn't used in 3 days and saw "rule in use", so it must be getting older data. You may want to use the Flow Log Viewer part of the product and see how far back your logs go for that particular log_stream. You can use the date picker to request logs for any arbitrary date and time, and we'll try to retrieve them from CWL.