@koreamit3483 wrote:

I have data coming in where I have a field called Result which holds data as below

1) "FAIL"

2) " FAIL "

3) "PASS"

4) " PASS "

now i have created a dashboard where the Result field is used in Drop down box. I have cleared the extra space from the field using

| rex mode = sed field=Result "s/ //g"|

 in dropdown values.

I have a data also showing on dashboard using the count as 

stats count(eval(searchmatch("PASS"))) AS PASS count(eval(searchmatch("FAIL"))) AS FAIL

which also have cleared the space using 

| rex mode =  sed field=Result "s/ //g"|

but when I select "PASS" or "FAIL" in drop down and submit the data on dashboard, it excludes the data which has values with space in it (i.e. " FAIL " and " PASS ") and shows only the values without space.

How can I solve this.

---

(Nested Spoiler tags make the question very difficult to read.  Additionally, if you illustrate actual search terms in your dashboard search, the question will be much clearer; specifically, illustrate how the dropdown token is being used  in the search.)

Suppose your dropdown token is $results_tok$ and your dashboard search is something like

Results = $results_tok$ blah
``` token used in base search without modification will fail to capture events with space in Results ```
| stats blah

it will only get events without space.  This is expected.

@Gr0und_Z3r0 suggests using "*" wildcard.  It should work in base search, e.g.,

Results = $results_tok$* blah
| stats blah

In short, you need to illustrate sanitized search code for others to diagnose a problem.

Here is an emulation of the solution suggested by Gr0und_Z3r0.

| makeresults count=16 ``` emulating raw events ```
| streamstats count
| eval Result = if(count % 2 == 0, "PASS", "FAIL")
| eval Result = if(count % 4 == 0, Result  .  " ", Result)
| eval result = ">" . Result . "<"

``` the following emulates base search where dropdown token value is "PASS" ```
| search Result = PASS*

The result includes both "PASS" and "PASS "