When you use the query in dashboard (and I assume you'll have token defined for textbox, lets say token=msisdn), use like this, so that it'll use the single value passed in textbox)

index=* sourcetype=sms [|gentimes start=-1 | eval msisdn="$msisdn$" | eval msisdn="999".ltrim(tostring(msisdn),"0") | fields msisdn] |table _time, msisdn, sms

Yes I am using a textbox. The logs are in 999763206619 format and the input is in 0763206619 format.

The query you provided works when I try it in a search field but not in my custom app with the textfield input.

Also, can you try something like this?

index=* sourcetype=sms [|gentimes start=-1 | eval msisdn="0763206619" | eval msisdn="999".ltrim(tostring(msisdn),"0") | fields msisdn] |table _time, msisdn, sms

Are you using a textbox for users to enter the msisdn and that input you want to updated before using in the search OR the msisdn is there in the logs with 0763206619 format and you want to update it??

Here is another find of mine:

This does not work: index=* sourcetype=sms [|gentimes start=-1 | eval msisdn="0763206619" | eval msisdn="999".ltrim(msisdn,"0") | fields msisdn] |table _time, msisdn, sms

This does not work: index=* sourcetype=sms [|gentimes start=-1 | eval msisdn="k763206619" | eval msisdn="999".ltrim(msisdn,"k") | fields msisdn] |table _time, msisdn, sms

This works: index=* sourcetype=sms [|gentimes start=-1 | eval msisdn="k763206619" | eval msisdn="0".ltrim(msisdn,"k") | fields msisdn] |table _time, msisdn, sms

I am not getting it to work. Can I share something which would display the outcome and help you understand why?

This is the search I am performing:

index=* sourcetype=sms [|gentimes start=-1 | eval msisdn="0763206619" | eval msisdn="999".ltrim(msisdn,"0") | fields msisdn] |table _time, msisdn, sms

Where in the following search query should I add the regex?

index=* event="*" msisdn="$customer_msisdn$" |table _time, msisdn, sms