I was writing a grok parser and ran across an unexpected result where my parser outputted a null group when parsing the HOSTNAME rule and thats when I noticed that it had a group at the end that wasn't set to non-matching (ie ?:).

definition in question:

https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns#L30

which looks like so:

HOSTNAME \b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b)

that last (\.?|\b) should really be (?:\.?|\b) otherwise even logstash will output an empty group ? unless of course some parsers are simply not outputting non named groups.