Event: Use -1.0 for undefined/unset timestamps

This can happen if either there's no network timestamp associated with an event, or there's currently no event being dispatched. Using 0.0 isn't great as it's the normal start timestamp before reading a network packet. Using -1.0 gives the caller a chance to check and realize what's going on.
2025-10-02 14:48:21 +00:00 · 2025-05-26 16:14:58 +02:00 · 2025-05-26 16:14:58 +02:00 · 7b4b1779bf
commit 7b4b1779bf
parent e2e13902f3
5 changed files with 29 additions and 4 deletions
--- a/6
+++ b/6
@ -24,6 +24,12 @@ Breaking Changes
  a small overhead when enabled. There's not enough users of network timestamp
  metadata to justify the complexity of treating it separate.

+- The ``current_event_time()`` builtin function as well as ``Event::Time()``
+  and ``EventMgr::CurrentEventTime()`` now return ``-1.0`` if not timestamp
+  metadata is available for the current event, or if no event is being
+  dispatched. Previously this would've likely been 0.0, or the previously
+  dispatched event.
+
 New Functionality
 -----------------

--- a/src/Event.cc
+++ b/src/Event.cc
@ -96,7 +96,7 @@ zeek::VectorValPtr Event::MetadataValues(const EnumValPtr& id) const {

 double Event::Time() const {
    if ( ! meta )
-        return 0.0;
+        return detail::NO_TIMESTAMP;

    for ( const auto& m : *meta )
        if ( m.Id() == static_cast<zeek_uint_t>(detail::MetadataType::NetworkTimestamp) ) {
@ -109,7 +109,7 @@ double Event::Time() const {
            return m.Val()->AsTime();
        }

-    return 0.0;
+    return detail::NO_TIMESTAMP;
 }

 void Event::Describe(ODesc* d) const {
--- a/src/Event.h
+++ b/src/Event.h
@ -49,6 +49,8 @@ using EventMetadataVectorPtr = std::unique_ptr<EventMetadataVector>;
 */
 EventMetadataVectorPtr MakeEventMetadataVector(double t);

+constexpr double NO_TIMESTAMP = -1.0;
+
 } // namespace detail

 class Event final : public Obj {
@ -170,8 +172,8 @@ public:
    // the event was intended to be executed. For scheduled events, this is the time the event
    // was scheduled to. For any other event, this is the time when the event was created.
    //
-    // If no event is being processed, returns 0.0.
-    double CurrentEventTime() const { return current ? current->Time() : 0.0; }
+    // If no event is being processed or there is no timestamp information, returns -1.0
+    double CurrentEventTime() const { return current ? current->Time() : detail::NO_TIMESTAMP; }

    int Size() const { return num_events_queued - num_events_dispatched; }

--- a/testing/btest/Baseline/core.event-metadata.current-event-time/output
+++ b/testing/btest/Baseline/core.event-metadata.current-event-time/output
@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+new_connection add_network_timestamp=T current_event_time=1362692526.869344 network_timestamp=[1362692526.869344]
+new_connection add_network_timestamp=F current_event_time=-1.0 network_timestamp=[]
--- a/testing/btest/core/event-metadata/current-event-time.zeek
+++ b/testing/btest/core/event-metadata/current-event-time.zeek
@ -0,0 +1,14 @@
+# @TEST-DOC: Check current_event_time() produces the same as event metadata, or else -1.0
+#
+# @TEST-EXEC: zeek -r $TRACES/http/get.trace %INPUT EventMetadata::add_network_timestamp=T >> output 2>&1
+# @TEST-EXEC: zeek -r $TRACES/http/get.trace %INPUT EventMetadata::add_network_timestamp=F >> output 2>&1
+#
+# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff output
+
+
+event new_connection(c: connection)
+	{
+	print fmt("new_connection add_network_timestamp=%s current_event_time=%s network_timestamp=%s",
+	          EventMetadata::add_network_timestamp, current_event_time(),
+	          EventMetadata::current(EventMetadata::NETWORK_TIMESTAMP));
+	}