You have value/key pairs there, so although a kv filter will parse it, the results are ugly. I would use ruby
grok { match => { "message" => ": %{GREEDYDATA:disks}" } }
ruby {
code => '
m = event.get("disks").scan(/([0-9]+)% ([^,]*)/)
m.each { |x|
event.set("[someField][#{x[1]}]", x[0].to_i)
}
'
}
which produces
"someField" => {
"/storedconfig" => 2,
"/opt" => 9,
"/opt/docker/runtime/overlay" => 9,
"/" => 17,
"/boot" => 25,
"/localdisk" => 3,
"/tmp" => 1
}