What is the last_time field supposed to represent?

wmathews · August 10, 2017, 4:26pm

The documentation says "The time, the most recent processed packet for the flow has been seen.", however for all of the entries in my cluster, this is always exactly the same as the start_time field even when the flow was open for multiple time periods and new packets were received after the first.

{
  "_index": "packetbeat-2017.05.17",
  "_type": "flow",
  "_id": "AVwWWIfwxpQtYgsqMToo",
  "_score": null,
  "_source": {
    "@timestamp": "2017-05-17T12:18:40.000Z",
    "beat": {
      ...
    },
    "dest": {
     ...
      "stats": {
        "net_bytes_total": 3505,
        "net_packets_total": 13
      }
    },
    "final": false,
    "flow_id": "EQQA////DP//////FP8BAAH6Fj5/r7b6Fj66+u/AqB0UwKgKA48Az4c",
    "last_time": "2017-05-17T12:18:18.691Z",
    "source": {
      ...
      "stats": {
        "net_bytes_total": 1821,
        "net_packets_total": 13
      }
    },
    "start_time": "2017-05-17T12:18:18.691Z",
    "transport": "tcp",
    "type": "flow"
  },
  "fields": {
    "start_time": [
      1495023498691
    ],
    "@timestamp": [
      1495023520000
    ],
    "last_time": [
      1495023498691
    ]
  },
  "sort": [
    1495023520000
  ]
}

{
  "_index": "packetbeat-2017.05.17",
  "_type": "flow",
  "_id": "AVwWWK8AxpQtYgsqMTph",
  "_score": null,
  "_source": {
    "@timestamp": "2017-05-17T12:18:50.000Z",
    "beat": {
      ...
    },
    "dest": {
      ...
      "stats": {
        "net_bytes_total": 4509,
        "net_packets_total": 17
      }
    },
    "final": false,
    "flow_id": "EQQA////DP//////FP8BAAH6Fj5/r7b6Fj66+u/AqB0UwKgKA48Az4c",
    "last_time": "2017-05-17T12:18:18.691Z",
    "source": {
      ...
      "stats": {
        "net_bytes_total": 2589,
        "net_packets_total": 19
      }
    },
    "start_time": "2017-05-17T12:18:18.691Z",
    "transport": "tcp",
    "type": "flow"
  },
  "fields": {
    "start_time": [
      1495023498691
    ],
    "@timestamp": [
      1495023530000
    ],
    "last_time": [
      1495023498691
    ]
  },
  "sort": [
    1495023530000
  ]
}

Here you can see two separate entries from Packetbeat describing the same long running flow, where new packets are seen in the second entry but the last_time field is never updated, and always remains the same as the start_time field.

Should it not be updating every time a new packet is received? Is this a bug of some sort? Has anyone ever had this field work for them? I am trying to do work that requires this information so if I can't get this to work I'll need to use a different solution, which would be unfortunate since Packetbeat does what I need it to otherwise.

steffens · August 11, 2017, 1:54pm

I'd say this is a bug. Can you report this on github please?

wmathews · August 15, 2017, 4:10pm

Okay, I made a topic. I wasn't sure how to add labels though

steffens · August 15, 2017, 7:53pm

Thanks for reporting the issue. I added the labels. Seems all packetbeat versions are affected

system · September 12, 2017, 7:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.