Skip to content

last_time field is never set by Packetbeat #4895

New issue
New issue
Closed
Closed
last_time field is never set by Packetbeat#4895
Labels
Packetbeatbug
@wmathews

Description

@wmathews
wmathews
opened on Aug 14, 2017

This is Packetbeat 5.0.2 running on ubuntu Linux reporting to an Elastic stack also running on ubuntu Linux. If this has been fixed in a newer version this year then this can be closed and I'll just update, but I haven't been able to find anything to that effect. I had normal traffic running through and packetbeat running.

For all of the entries in my cluster, the last_time is always exactly the same as the start_time field even when the flow was open for multiple time periods and new packets were received after the first.

{
  "_index": "packetbeat-2017.05.17",
  "_type": "flow",
  "_id": "AVwWWIfwxpQtYgsqMToo",
  "_score": null,
  "_source": {
    "@timestamp": "2017-05-17T12:18:40.000Z",
    "beat": {
      ...
    },
    "dest": {
     ...
      "stats": {
        "net_bytes_total": 3505,
        "net_packets_total": 13
      }
    },
    "final": false,
    "flow_id": "EQQA////DP//////FP8BAAH6Fj5/r7b6Fj66+u/AqB0UwKgKA48Az4c",
    "last_time": "2017-05-17T12:18:18.691Z",
    "source": {
      ...
      "stats": {
        "net_bytes_total": 1821,
        "net_packets_total": 13
      }
    },
    "start_time": "2017-05-17T12:18:18.691Z",
    "transport": "tcp",
    "type": "flow"
  },
  "fields": {
    "start_time": [
      1495023498691
    ],
    "@timestamp": [
      1495023520000
    ],
    "last_time": [
      1495023498691
    ]
  },
  "sort": [
    1495023520000
  ]
}

{
  "_index": "packetbeat-2017.05.17",
  "_type": "flow",
  "_id": "AVwWWK8AxpQtYgsqMTph",
  "_score": null,
  "_source": {
    "@timestamp": "2017-05-17T12:18:50.000Z",
    "beat": {
      ...
    },
    "dest": {
      ...
      "stats": {
        "net_bytes_total": 4509,
        "net_packets_total": 17
      }
    },
    "final": false,
    "flow_id": "EQQA////DP//////FP8BAAH6Fj5/r7b6Fj66+u/AqB0UwKgKA48Az4c",
    "last_time": "2017-05-17T12:18:18.691Z",
    "source": {
      ...
      "stats": {
        "net_bytes_total": 2589,
        "net_packets_total": 19
      }
    },
    "start_time": "2017-05-17T12:18:18.691Z",
    "transport": "tcp",
    "type": "flow"
  },
  "fields": {
    "start_time": [
      1495023498691
    ],
    "@timestamp": [
      1495023530000
    ],
    "last_time": [
      1495023498691
    ]
  },
  "sort": [
    1495023530000
  ]
}

Here you can see two separate entries from Packetbeat describing the same long running flow, where new packets are seen in the second entry but the last_time field is never updated, and always remains the same as the start_time field.

Metadata

Assignees

No one assigned

    Labels

    Packetbeatbug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions