I downvoted this post because this isn't an elegant solution. I don't want to table my fields before I output because there are other fields that I don't want to output but that I want to keep to do other processing with.

Did you ever find an answer to this?  I wanting to do a similar search.  I only want to append specific fields to a lookup table, while keeping the rest of the fields for alert automation.

| appendpipe [ | fields x y z | outputlookup lookup ]

This is exactly what I was looking for!  One interesting thing I noticed, which I am not sure is a bug or not:

• If you run outputlook up and _time is still in the initial pipeline it will output _time to the lookup
  • This happens even if you explicitly try to remove using the field command  
  • A work around would be to rename time, which works but is not ideal

Also to clean this up since this appends to the results of the initial pipeline you will need to follow with a where isnotnull(a), filtering out results on null values that should be present in the appended results.

So the resulting search would be something like:

...initial search...
``` If you don't want _time in your resulting lookup ```
| rename _time as time 
| convert ctime(time) 
``` Select fields for outputing to lookup ```
| appendpipe 
    [| fields a, b, c 
    | outputlookup lookup_file]
``` Remove appended entries by filtering on null fields which should only be present in the appended output ```
| where isnotnull(d)