I would use ruby
grok { match => { "message" => "%{TIMESTAMP_ISO8601:time} : %{GREEDYDATA:username} %{SYSLOG5424SD:usertype}%{GREEDYDATA:[@metadata][restOfLine]}" } }
mutate { gsub => [ "[@metadata][restOfLine]", "\r", "" ] }
mutate { gsub => [ "usertype", "[\[\]]", "" ] }
ruby {
code => "
data = event.get('[@metadata][restOfLine]')
matches = data.scan(/\n(\S+)\n\s+RED\s+: ([0-9]+)\n\s+BLUE\s+: ([0-9]+)\n\s+GREEN\s+: ([0-9]+)/)
groups = []
matches.each_index { |x|
group = { 'name' => matches[x][0], 'red' => matches[x][1], 'blue' => matches[x][2], 'green' => matches[x][3] }
groups << group
}
event.set('groups', groups)
"
}
You may not need the first mutate. And I assume you want red/blue/green, not red/blue/blue, which you cannot have.