SYSLOGBASE2 (?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource}+(?: %{SYSLOGPROG}:|)
Could I get a hand with the meaning of a few constructs in this pattern?
(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601})
Does the ?:
prefix to a couple of the patterns mean a non-capturing pattern as with some other regex libraries? What does this mean for a pattern chunk in the grok filter? The pattern inherently captures matching text to a named field so I'm not clear what that would mean.
(?:%{SYSLOGFACILITY} )?
Does this indicate 0 or 1 match of the facility is required (i.e. this field is optional in the pattern?
%{SYSLOGHOST:logsource}+
Does the +
indicate that one more log sources may be chained together in the log? In the case where there are multiple, are they typically whitespace separated, and does the pattern accommodate a match on the whitespace between 2 or more SYSLOGHOSTs?
(?: %{SYSLOGPROG}:|)
I'm curious what the single |
for the SEMANTIC means with this field. Also it's prefixed with ?:
- why? (Related to #1).