last_time field is never set by Packetbeat

[wmathews]

This is Packetbeat 5.0.2 running on ubuntu Linux reporting to an Elastic stack also running on ubuntu Linux. If this has been fixed in a newer version this year then this can be closed and I'll just update, but I haven't been able to find anything to that effect. I had normal traffic running through and packetbeat running.

For all of the entries in my cluster, the last_time is always exactly the same as the start_time field even when the flow was open for multiple time periods and new packets were received after the first.

{
  "_index": "packetbeat-2017.05.17",
  "_type": "flow",
  "_id": "AVwWWIfwxpQtYgsqMToo",
  "_score": null,
  "_source": {
    "@timestamp": "2017-05-17T12:18:40.000Z",
    "beat": {
      ...
    },
    "dest": {
     ...
      "stats": {
        "net_bytes_total": 3505,
        "net_packets_total": 13
      }
    },
    "final": false,
    "flow_id": "EQQA////DP//////FP8BAAH6Fj5/r7b6Fj66+u/AqB0UwKgKA48Az4c",
    "last_time": "2017-05-17T12:18:18.691Z",
    "source": {
      ...
      "stats": {
        "net_bytes_total": 1821,
        "net_packets_total": 13
      }
    },
    "start_time": "2017-05-17T12:18:18.691Z",
    "transport": "tcp",
    "type": "flow"
  },
  "fields": {
    "start_time": [
      1495023498691
    ],
    "@timestamp": [
      1495023520000
    ],
    "last_time": [
      1495023498691
    ]
  },
  "sort": [
    1495023520000
  ]
}

{
  "_index": "packetbeat-2017.05.17",
  "_type": "flow",
  "_id": "AVwWWK8AxpQtYgsqMTph",
  "_score": null,
  "_source": {
    "@timestamp": "2017-05-17T12:18:50.000Z",
    "beat": {
      ...
    },
    "dest": {
      ...
      "stats": {
        "net_bytes_total": 4509,
        "net_packets_total": 17
      }
    },
    "final": false,
    "flow_id": "EQQA////DP//////FP8BAAH6Fj5/r7b6Fj66+u/AqB0UwKgKA48Az4c",
    "last_time": "2017-05-17T12:18:18.691Z",
    "source": {
      ...
      "stats": {
        "net_bytes_total": 2589,
        "net_packets_total": 19
      }
    },
    "start_time": "2017-05-17T12:18:18.691Z",
    "transport": "tcp",
    "type": "flow"
  },
  "fields": {
    "start_time": [
      1495023498691
    ],
    "@timestamp": [
      1495023530000
    ],
    "last_time": [
      1495023498691
    ]
  },
  "sort": [
    1495023530000
  ]
}

Here you can see two separate entries from Packetbeat describing the same long running flow, where new packets are seen in the second entry but the last_time field is never updated, and always remains the same as the start_time field.

[Paqi]

I ran into this issue on my Windows machine. This fix was released in Beats version 5.5.3, but when I installed it, I still saw this issue with the last_time field. Was this fix platform specific, or should it have worked across platforms?