@yuanliu Thank you for your reply . The following block works for me when run independently .

index="demo1" source="demo2"
| rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}"
| rex field=_raw "test_field_name=(?P<test_field_name>.+)]:"
| search test_field_name="test_field_name_1"
| table _raw id_num
| reverse
| filldown id_num

and this query works

| inputlookup sample.csv | fields FailureMsg

but this block does not work for me 

index="demo1" source="demo2"
    [inputlookup sample.csv
    | fields FailureMsg]

 Tried this block as well, it did not work for me 

index="demo1" source="demo2"
    [ | inputlookup sample.csv
    | fields FailureMsg ]

Since above query did not work, entire block you suggested did not work as well 

index="demo1" source="demo2"
    [inputlookup sample.csv
    | fields FailureMsg]
| rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}"
| rex field=_raw "test_field_name=(?P<test_field_name>.+)]:"
| search test_field_name=test_field_name_1
| table _raw id_num
| reverse
| filldown id_num

This query works for me when I search for fail_msg1 or fail_msg2

index="demo1" source="demo2" ("fail_msg1" OR "fail_msg2")

any idea how to search this using inputlookup or lookup?

First, please do not use phrases like "does not work" because it conveys little information in the best scenario.  There are many ways a search "does not work".  There could be an error message.  There could be no error, and no output.  There could be output, but not what you expected. And so on and so on.

I assume that what you meant was that the search gave no output.  The problem, then, is that your raw events do NOT have a field named FailureMsg as your OP implied. (I tried to clarify in my previous response.) The fact that index="demo1" source="demo2" ("fail_msg1" OR "fail_msg2") returns results only means that the terms "fail_msg1", "fail_msg2" exist in some events; you need to be explicit about what fields are available at search time.

If you do not have a suitable field name in raw events to limit the search, subsearch can still be used to match straight terms by using a pseudo keyword search.

index="demo1" source="demo2"
    [inputlookup sample.csv
    | fields FailureMsg
    | rename FailureMsg AS search
    | format]
| rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}"
| rex field=_raw "test_field_name=(?P<test_field_name>.+)]:"
| search test_field_name=test_field_name_1
| table _raw id_num
| reverse
| filldown id_num

@yuanliu Thank you for your response again. Apologies for my wording if it created any confusion. I will be more careful going forward. You're right, I meant my search did not return any results in my context.  This query returned my matching search results events . I noticed that id_num field in the search results was blank as I was using filldown to populate id_num fields

index="demo1" source="demo2" 
[inputlookup sample.csv | fields FailureMsg | rename FailureMsg AS search | format] 
| rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" 
| rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" 
| search test_field_name="test_field_name_1"
| table _raw id_num 
| reverse 
| filldown id_num

I moved lookup at the end after filldown and I see id_num field as well in search results table

index="demo1" source="demo2" 
| rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" 
| rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" 
| search test_field_name="test_field_name_1"
| table _raw id_num 
| reverse 
| filldown id_num
[inputlookup sample.csv | fields FailureMsg | rename FailureMsg AS search | format] 

Let's not confound different matters.  The original problem has nothing to do with id_num, filldown, or any other subject.  No other data characteristics were described.  The only information about data is filter ( fail_msg1 OR fail_msg2).  Let's focus on this and raise a separate question about id_num.

The big question about the search is: Does this pick the correct events?

index="demo1" source="demo2"
    [inputlookup sample.csv
    | fields FailureMsg
    | rename FailureMsg AS search
    | format]

To help you answer this, edit your sample.csv to ONLY include fail_msg1 and fail_msg2.    Use this lookup to run the search in a fixed interval, e.g., earliest=-1d@d latest=-0d@d.  Then, run the other search in the same fixed interval:

index="demo1" source="demo2" ("fail_msg1" OR "fail_msg2")

Do you get the same events?  In fact, run a third test in the same interval (as long as you run all searches within the same @Day).

index="demo1" source="demo2"
    [makeresults format=csv data="FailureMsg
fail_msg1
fail_msg2"
    | rename FailureMsg AS search
    | format]

If you get the same events from all three, and your id_num is blank, you should look at the events themselves to find why your regex won't work.  In other words.  Because the inputlookup subsearch has no way to influence any operation after events are returned.

We can discuss further if ("fail_msg1" OR "fail_msg2") gives drastically different events from the other two.  In that case, you will need to show raw events returned from each and explain what differences are between two groups of events. (Anonymize as necessary.)

Here is a look at why I am suggesting these tests.  Just take the kernel of those two subsearches without index search:

| inputlookup sample.csv
| fields FailureMsg
| rename FailureMsg AS search
| format

and

| makeresults format=csv data="FailureMsg
fail_msg1
fail_msg2"
| rename FailureMsg AS search
| format

Both will give you

This is why I am confident that the subsearches are identical to ("fail_msg1" OR "fail_msg2").

@yuanliu Thanks again for your detailed explanation. Apologies, I should have asked id_num as a follow-up question and not related to this main question.  Instead of using filldown to populate id_num, I extracted id_num and included as part of fields for every payload upload to Splunk. I have updated to the following query and it worked

index="demo1" source="demo2"
    [inputlookup sample.csv
    | fields FailureMsg
    | rename FailureMsg AS search
    | format ]
| rex field=_raw "test_field_name=(?P<test_field_name>.+)]:"
| search test_field_name="test_field_name_1"
| table _raw id_num

Thanks again for your detailed analysis and guidance in helping solve this. 

@yuanliu apologies my bad - moving inputlookup at the end is returning all results (NOT just search results)

index="demo1" source="demo2" 
| rex field=_raw "id_num \{ data: (?P<id_num>\d+) \}" 
| rex field=_raw "test_field_name=(?P<test_field_name>.+)]:" 
| search test_field_name="test_field_name_1"
| table _raw id_num 
| reverse 
| filldown id_num
[inputlookup sample.csv | fields FailureMsg | rename FailureMsg AS search | format] 

 Could you please help ?

Thank you I have added double quotes in my lookup for FailureMsg field.

Could you please help on how we can write lookup query to search for FailureMsg in _raw ?

I mean that you should use " in this search

| search test_field_name="test_field_name_1"