Hi
Looking at your pictures I see the "'" are not missing in your line, so the filter should be
"messge" => "'createdDateTime': '%{TIMESTAMP_ISO8601:timestamp}', 'userDisplayName': '%{USER:userDisplayName}', 'userPrincipalName': '%{GREEDYDATA:principlename}'"
This should work. If it doesn't I'll start also banging my head on the table 