SYSLOGLINE names the parsed message field "message". That field name is the source message, so you end up with an array. This should get you started:
filter {
grok {
match => { "message" => "%{SYSLOGLINE}" }
}
if [message][1] { kv { source => "[message][1]" } }
}