grok expression for Sophos syslog

I am having a lot of trouble trying to figure out grok expression for the following message types (coming from a Sophos UTM)

Apr 28 16:57:49 utm-vap-xx.domain.local 2018: 04:28-17:02:05 s-utm-01 httpproxy[52816]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="" dstip="" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="15" request="0xdae2cc00" url=" referer="" error="" authtime="0" dnstime="905" cattime="143" avscantime="2275" fullreqtime="238344" device="0" auth="0" ua="Mozilla/4.0 (compatible; Win32; Commtouch Http Client (curl))" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" country="United States" content-type="text/html" sandbox="-"

The problem arises when I want to skip fields or when value pairs contain empty string. For example in Logstash adding something like


is causing problems, while these do work in the online grok builder

The goal is to get something like this

Destination IP
Protocol etc

I am also intending to use the geo-tags in Logstash which I already have working with other sources.

Looking forward to receive some valueable help. Thanks