My suggestion for building complex grok patterns is here.
Note that grok debuggers (including kibana) and grok itself sometimes interpret ambiguous patterns differently (and almost every pattern that uses DATA, or especially GREEDYDATA, is ambiguous).