SYSLOGBASE2 (?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource}+(?: %{SYSLOGPROG}:|)
Could I get a hand with the meaning of a few constructs in this pattern?
(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601})
Does the ?: prefix to a couple of the patterns mean a non-capturing pattern as with some other regex libraries? What does this mean for a pattern chunk in the grok filter? The pattern inherently captures matching text to a named field so I'm not clear what that would mean.
(?:%{SYSLOGFACILITY} )?
Does this indicate 0 or 1 match of the facility is required (i.e. this field is optional in the pattern?
%{SYSLOGHOST:logsource}+
Does the + indicate that one more log sources may be chained together in the log? In the case where there are multiple, are they typically whitespace separated, and does the pattern accommodate a match on the whitespace between 2 or more SYSLOGHOSTs?
(?: %{SYSLOGPROG}:|)
I'm curious what the single | for the SEMANTIC means with this field. Also it's prefixed with ?: - why? (Related to #1).