unfortunately I tried single and double quotes on the fieldname and it does not work.

The issue is with the data quality and there is some sort of errant spacing in it.  I still have a ticket open in splunk as clicking the value of a field should properly put in such spacing but this works as a workaround for me for now.  Im further going to speak with the team where the data is coming out of to make sure the data is going out properly (actually need to verify in raw before I go there).  thanks.

I updated the question maybe just as you where answering.  I found the field was not showing results even when I did a simple search and through the gui chose the value for host.domain.  something fishy is going on.

My last response still holds to test if it in fact whitespace in the string.

As you can see by this screenshot I was able to replicate you issue with trailing whitespace.

But when updating the eval it fixes the output to intended behavior

At the very least this would rule out if whitespace in the string is the issue.

You could also try this on the search bar and see what returns

index=dct_foglight_shr "host.domain"="*prd*"
    | stats count by "host.domain"
    | eval
        dct_domain=case(match('host.domain', "prd"), "Production", match('host.domain', "uat"), "Pre-Production", match('host.domain', "dev"), "Development", true(), "test" )

I think you may be missing the significance of it.  You see its not responding to the field at all for searching.  even when filtering for it using mouse clicks so there is no possibility of errant spaces at that point since splunk itself puts the text in based on mouse selection.  There is something very strange going on.  I have done filtering on other fields with mouseclicks jut in case and they react fine.  Not sure what the issue is with this specific field but its enough of an issue with splunk directly that I just put in a ticket about it.    

Not downplaying the significance, just trying to assist with troubleshooting with similar issues I have seen in the past.

Good luck

and oh wow.  I owe you a big apology as yes, splunk itself is somehow not putting in whats there even when selected with the mouse.  so its still an issue they are looking into and on my side I will be talking to a team about data cleanup but Im going to try your workaround and if it works I will mark it as the fix.

yeah sorry.  im not accusing you of anything.  Its just the problem is showing itself in a much more rigid way.  index=dct_foglight_shr "host.domain"=prd is not working and "host.domain"=prd was added completely with mouseclicks so no possibility at all of whitespace being added as splunk itself is adding it in response to mouse clicks.  So once I have fixed the issue with the field in general if case is still acting wonky I will attempt your fix advice.