That is a lot of different questions in one post!
I would start by parsing off the common fields using a dissect filter.
dissect { mapping => { "message" => "%{ts} %{+ts} %{hostname} %{packet-engine} : %{restOfLine}" } }
You appear to be using mutate to discard the timestamp, if you really do not want those fields then you can use
dissect { mapping => { "message" => "%{} %{} %{hostname} %{packet-engine} : %{restOfLine}" } }