Whenever I have a problem like this, I like to trim the grok pattern to just One capture, run the pipeline make sure it works. Add another small capture. Run the pipeline. Make sure it works, add another small capture.
Oftentimes there can be small differences between what we think the input data looks like and what it actually looks like. Or there can be special characters or Unicode characters that aren't working as we expect.
The simplest way to figure this out is to just trim your grok and slowly add it back until it stops working again.
You can also log field values from a Ruby filter to make sure they are matching or capturing what you expect at different steps of your pipeline Logging from within Ruby Filter - #3 by guyboertje