Not necessarily as a cross product. I want the values of the lookups to be combined based on the combination of the src_port and dest_port inputs. For example, if i combined table1 and table 2, I would like lookup1_output and lookup2_output to be combined into a single multi-value field.

So, based on your example data, you want combine lookup output for src-dest combination of 1-2, 1-3,2-1,2-3,3-1,3-2..? I think you want to combine output value for a give combination of src-dest, so just want to understand how you're coming up with src-dest combination.

No, It's not necessary that it needs to be a catesian product, but it could be so. to explain it better, I have a src_port field and a dest_port field in my event data. I would like to find the protocol associated with each source port and each destination port. I am using 2 automatic lookups to find the src_protocol(as lookup1_output in my example) and dest_protocol(lookup2_output). Most events in my data have both src_port as well as dest_port , but it's not necessary that both fields should have values. When there is a case that the lookup returns values for both, i would like to combine the src_protocol output field and the dest_protocol output field to give me a multivalue field called protocol. If you have any idea as to how to combine the 2 lookup outputs to a single multi-value field, I can figure out the solution to the scenarios where the cartesian rule does not hold 🙂