I have created a lookup table, service.csv

host,service,resource
"host1","fdl","all"
"host2","finance","db"
"host3","campus","web"
"host4","finance","db"
"host5","finance","db"
"host6","finance","app"
"host7","finance","app"

I have created a dashboard with 2 inputs, service and resource, which are both dropdown lists with various options in each, but also with an ALL option with a value of *.

The search linked to this dashboard is as follows:

index="*" source="*secure" ("keyboard")
| lookup "service.csv" host OUTPUT host,service,resource 
| where service="$service$" AND resource="$resource$"
| table service,resource,host,source,_raw | sort -_raw

When I select a specific service and a specific resource from the dropdown lists, the search returns the desired results from both the lookup table and the data source. However, when I select the ALL (*) option for either or both lists, it get no results returned.

The search looks like:

index="*" source="*secure" ("keyboard")
| lookup "service.csv" host OUTPUT host,service,resource 
| where service="*" AND resource="*"
| table service,resource,host,source,_raw | sort -_raw

Is there a way to resolve this so that I get return the desired results.