Understanding SYSLOGBASE2 pattern


SYSLOGBASE2 (?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource}+(?: %{SYSLOGPROG}:|)

Could I get a hand with the meaning of a few constructs in this pattern?

  1. (?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601})

Does the ?: prefix to a couple of the patterns mean a non-capturing pattern as with some other regex libraries? What does this mean for a pattern chunk in the grok filter? The pattern inherently captures matching text to a named field so I'm not clear what that would mean.

  1. (?:%{SYSLOGFACILITY} )?

Does this indicate 0 or 1 match of the facility is required (i.e. this field is optional in the pattern?

  1. %{SYSLOGHOST:logsource}+

Does the + indicate that one more log sources may be chained together in the log? In the case where there are multiple, are they typically whitespace separated, and does the pattern accommodate a match on the whitespace between 2 or more SYSLOGHOSTs?

  1. (?: %{SYSLOGPROG}:|)

I'm curious what the single | for the SEMANTIC means with this field. Also it's prefixed with ?: - why? (Related to #1).

(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.