GROK1

{
  "ORA_TS": [
    [
      "Mon Aug 07 16:30:35 2017"
    ]
  ],
  "DAY": [
    [
      "Mon"
    ]
  ],
  "MONTH": [
    [
      "Aug"
    ]
  ],
  "MONTHDAY": [
    [
      "07"
    ]
  ],
  "TIME": [
    [
      "16:30:35"
    ]
  ],
  "HOUR": [
    [
      "16"
    ]
  ],
  "MINUTE": [
    [
      "30"
    ]
  ],
  "SECOND": [
    [
      "35"
    ]
  ],
  "YEAR": [
    [
      "2017"
    ]
  ],
  "ORA_CODE_MSG": [
    [
      "ORA-01555 caused by SQL statement below (SQL ID: 8krbxxwmtnwfy, Query Duration=1458 sec, SCN: 0x0013.f8ae1fd1):"
    ]
  ],
  "ORA_CODE": [
    [
      "ORA-01555"
    ]
  ],
  "ORA-": [
    [
      "ORA-01555"
    ]
  ],
  "SQL_DML": [
    [
      "select customer_id, email_address, uc_email_address, created, last_update from member.customers where uc_email_address is null order by created"
    ]
  ]
}

Grok input:
%{ORA_TS}
%{ORA_CODE_MSG: ora_code}
%{SQL_DML}

Custom Grok patterns:
ORA_TS %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}
ORA_CODE (?ORA-[0-9])
ORA_CODE_MSG %{ORA_CODE: ora_code} caused by SQL statement below .
SQL_DML ^(?i)(select|insert into|update|delete from)(?-i) .*