How to Filter Logs by User Parameter in Sentinel Workbook KQL?

Hi everyone,

I am trying to create a Sentinel Workbook with a dropdown parameter to filter logs based on a selected username. The goal is to dynamically toggle between users and see logs related to each user, including total data downloaded, accessed repositories, and timestamps.

Here’s what I have so far:

Syslog
| extend grpc_method_ = tostring(parse_json(SyslogMessage).["grpc.method"])
| extend grpc_request_glProjectPath_ = tostring(parse_json(SyslogMessage).["grpc.request.glProjectPath"])
| extend username_ = tostring(parse_json(SyslogMessage).username)
| extend user_id_ = tostring(parse_json(SyslogMessage).user_id)
| where isnotempty(username_) 
| where trim(" ", username_) == trim(" ", '{{UserParam}}') 
| extend remote_ip_ = tostring(parse_json(SyslogMessage).remote_ip)
| extend response_bytes_ = tostring(parse_json(SyslogMessage).response_bytes)
| where Facility == "Local"
| where ProcessName <> "ldsclient"
| where isnotempty(response_bytes_)
//| project TimeGenerated, username_, UserParam, grpc_method_, grpc_request_glProjectPath_, remote_ip_, response_bytes_

I set up a dropdown parameter called userParam, which pulls distinct usernames from the logs using this query:

Syslog
| extend username_ = tostring(parse_json(SyslogMessage).username)
| where isnotempty(username_)
| summarize count() by username_
| distinct username_

However, when I select a user from the dropdown, the main query fails. It seems the parameter is not being recognized correctly in the query.

How can I properly reference a dropdown parameter in a Sentinel Workbook KQL query? Is there a better way to filter logs dynamically based on a selected user?

Any help is highly appreciated!