@yuanliu Thanks again for your detailed explanation. Apologies, I should have asked id_num as a follow-up question and not related to this main question. Instead of using filldown to populate id_num, I extracted id_num and included as part of fields for every payload upload to Splunk. I have updated to the following query and it worked index="demo1" source="demo2"
[inputlookup sample.csv
| fields FailureMsg
| rename FailureMsg AS search
| format ]
| rex field=_raw "test_field_name=(?P<test_field_name>.+)]:"
| search test_field_name="test_field_name_1"
| table _raw id_num Thanks again for your detailed analysis and guidance in helping solve this.
... View more