Looking at below snap of netfow.rb, It seems that overflow of bit is taken care during calculation of first_switched and last_switched. I can think a case where system up time may be smaller than first switched time in numeric form if there is overflow occurred. In that case, current netflow.rb will fail to generate accurate first_switched and last_switched. Any thought on this?
Thanks in advance.
Snip of code which calculate first_switched and last_switched.
# The flow record sets the first and last times to the device # uptime in milliseconds. Given the actual uptime is provided # in the flowset header along with the epoch seconds we can # convert these into absolute times millis = flowset.uptime - v seconds = flowset.unix_sec - (millis / 1000) micros = (flowset.unix_nsec / 1000) - (millis % 1000) if micros < 0 seconds-- micros += 1000000 end event[@target][k.to_s] = LogStash::Timestamp.at(seconds, micros).to_iso8601 else event[@target][k.to_s] = v.snapshot end end