You are on the right way:
- Split the logline with grok
You can test your grok via the tester in Kibana - Parse the json message you get via grok splitting
You can operate on the fields you get afterwards..
PS: Logstash is a dedicated product for logs ingestion and way easier to operate than the elasticsearch ingestion pipelines. So I discourage the suggestion from Samuele_Lolli.