Further testing showed that the Grok WAS working. What threw us for a loop was the IIS module flips the timestamp fields such that the IIS Access Time is inserted into @timestamp. So when searching we need to look at the original IIS Access Time, not the ingest time.