There has always been a problem with parsing a "headered" structured data. There is even an open idea about it. https://ideas.splunk.com/ideas/EID-I-208
The easiest way to go about it would be probably to parse the header into indexed fields if needed (most of it should already be parsed into _time and host; you could however want to have the process name and pid stored) and then strip the header completely with SEDCMD or INGEST_EVAL (I don't remember if SEDCMD works before or after transforms are called).
This way you'd be left with an all-json event which Splunk can handle with proper KV_MODE.