You cannot do this with simple event search as you attempted.  To add fields (sometimes called "enrichment"), you need to use lookup command. (Or join with inputlookup and sacrifice performance.  But this doesn't apply in your case.)  Your question is really about wanting to match a wildcard at the beginning of a key, which lookup does not support.  Given your sample data, you don't seem to have a real choice.  So, you will have to take some performance penalty and perform string matches yourself.

People (including myself) used to work around similar limitations in lookup with awkward mvzip-mvexpand-split sequences and the code is difficult to maintain.  Since 8.2, Splunk introduced a set of JSON functions that can represent data structure more expressively.  Here is one method:

| makeresults count=4
| streamstats count
| eval number = case(count=1, 25, count=2, 39, count=3, 31, count=4, null())
| eval string1 = case(count=1, "I like blue berries", count=3, "The sea is blue", count=2, "black is all colors", count=4, "Theredsunisredhot")
| table string1
| append
    [| inputlookup wildlookup.csv
| tojson output_field=wildlookup
| stats values(wildlookup) as wildlookup
| eval wild = json_object()
| foreach wildlookup mode=multivalue
    [ eval wild = json_set(wild, json_extract(<<ITEM>>, "colorkey"), <<ITEM>>)]
| fields wild]
| eventstats values(wild) as wild
| where isnotnull(string1)
| eval colors = json_keys(wild)
| foreach colors mode=json_array
    [eval colorkey = mvappend(colorkey, if(match(string1, <<ITEM>>), <<ITEM>>, null()))]
| mvexpand colorkey ``` in case of multiple matches ```
| foreach flagtype active
    [eval <<FIELD>> = json_extract(json_extract(wild, colorkey), "<<FIELD>>")]
| eval flag = "KEYWORD FLAG"
| table flagtype, flag, string1, colorkey

Note I stripped fields that are irrelevant to the resultant table.  I also made provisions to protect possible multiple color matches.  The output is

Hope this helps.