I sort of simplified the problem so as to make it easy and your solution is correct, but here again my mistake for not mentioning the whole pattern..
it's pretty much the same given string but instead in the middle of a larger string where the general format is something like > "a b c 'a.com/1/2/A/IN' x"
here the actual message is,
"client 1.1.1.1#40162 (a.com): query (cache) 'a.com/A/IN' denied\n"
"message"=> "client %{HOSTNAME:dcip}#([0-9]+) ?(%{HOSTNAME:qry}): ([\S]+) (([\S]+)) (?ltcapturert[\S]+) (?ltbindmsgrt[\S]+)\n"
Here grok passes successfully, and so I just need to focus on the same example 'a.com/1/2/A/IN' (adding single quotes) but instead I'm trying to have it in a larger string.
thanks