you're right about search and where, however, the test is not the same. i think what i'm saying, in my example, is that if the * had to be extracted from a variable, then it will be treated as a literal, even in search. it's almost like it's trying to do this (notice the escape char) if the value was extracted from a variable that's absent here, or token actually.
index=_* | search
sourcetype="splunk\*"
i can tell you my initial query absolutely does not work. normally I modify what i post from the actual but in this example, it is the exact one, so no inadvertent modifications upon using it. i created a tiny dashboard with both your query and mine. yours works, as you claim it should, and mine doesn't. in yours, it's extracting the * from the token and using it as a wildcard, but in mine it doesn't. the only difference is the AppNo is coming from a lookup table instead of a log file.
below is the tiny dashboard used to compare. to test, though, you may have to change the queries slightly and create an actual lookup table with "AppNo", "FuncNo", "Functionality" with values 1, 1, whatever. I expect to get the values of the lookup table in my query (the first one) like i get values in my log file from yours (the bottom one)
Test Dash
<input type="dropdown" token="app" searchWhenChanged="true">
<label>Application</label>
<choice value="None">None</choice>
<choice value="*">All</choice>
<search>
<query/>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<default>None</default>
<initialValue>None</initialValue>
</input>
<panel>
<html>
<h4>app: $app$</h4>
</html>
</panel>
<panel>
<table>
<search>
<query>| inputlookup Functionalities.csv | search AppNo=$app$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel>
<table>
<search>
<query>index=* earliest=-10m@m latest=-0m@m | search sourcetype=$app$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
... View more