Getting grok parse failures on fields that should match

[jghiloni]

Logsearch version: 211.0.2 Logsearch for cloudfoundry version: 211.0.2

We are getting platform messages to our ES index that have been tagged with fail/syslog_standard/_grokparsefailure-syslog_standard-5424/sds but testing the message actually passes using https://grokdebug.herokuapp.com

Message (sanitized)

<14>1 2020-04-09T20:12:14.707859Z 6.7.8.9 cloud_controller_ng rs2 - [instance@47450 director="" deployment="cf-xxxxx" group="cloud_controller" az="az2" id="84797b79-aa5b-4d4e-a819-b988ed12669b"] I, [2020-04-09T20:12:14.479425 #6]  INFO -- : CEF:0|cloud_foundry|cloud_controller_ng|2.139.0|GET /v2/apps/77e3c0b8-aa89-41a1-888e-c078323b1431|GET /v2/apps/77e3c0b8-aa89-41a1-888e-c078323b1431|0|rt=1586463134479 suser= suid=firehose-to-syslog request=/v2/apps/77e3c0b8-aa89-41a1-888e-c078323b1431 requestMethod=GET src=10.8.95.19 dst=10.8.92.15 cs1Label=userAuthenticationMechanism cs1=oauth-access-token cs2Label=vcapRequestId cs2=cdb28fee-3ae5-4624-7dcb-01b43e5f98f7::d1cc618f-053b-4450-bc92-ec203fce4141 cs3Label=result cs3=success cs4Label=httpStatusCode cs4=200 cs5Label=xForwardedFor cs5=1.2.3.4,1.2.3.5

When we view the log in kibana, the @source.* fields that would be specified by the syslog_sd_params hash are set to the literal %{[syslog_sd_params][FIELD_NAME]}

Any help in determining what we might be doing wrong here, or if there is a bug, would be greatly appreciated.