I don’t think it is possible with this format, it can’t be done with grok because of the dynamic number of fields, and logfmt does not support these delimiters. Any chance you could modify the format of the statuses?
Thank for your reply.
I found another workaround using processors.strings.replace provided from 1.9.x. This is RC version.
There is another problem. When I use processors.strings.replace, it doesn’t work basicstats aggregation plugin.