I have an automatic lookup configured for a particular sourcetype. The events that have this sourcetype are stored in a single index. When I search for these events, the automatic lookup seems to work in that it outputs the fields I would expect. However, when I search more broadly, the automatic does not output the fields. For example, the search below:

index=index1 (other criteria)
| table _time, output_field1, output_field_2, ... output_fieldN

 produces the "output_field*" fields. However, if I run a search like the one below:

index IN (index1, index2, index3) (other criteria)
| table _time, output_field1, output_field_2, ... output_fieldN

the "output_field*" fields are not always produced (in very small instances, a single record will have the fields).

I have absolutely no idea why this is the case. For reference, we're running Enterprise Security, the automatic lookup I have configured for that sourcetype is a lookup against the asset_lookup_by_str KV store. If anyone knows where to look to help figure this out, let me know.