My assumption was that this lookup is dynamic so when you remove an IOC from the original lookup, this gets reflected in the ip_intel and other collections as well once the threat searches are run. I tried this and the IOC still exists in the collection and threat searches still run against it. When I add an IOC to the lookup, this gets added to ip_intel as well so that's working as expected.
Am I wrong in thinking that IOCs get removed from ip_intel and other collections when you remove an IOC from the original lookup? Is the only way to remove an IOC to re-write the ip_intel without the said IOC using 'outputlookup'?