Okay, then I’m totally out of ideas, because threat_intel_lookup_* always returns a true/false so in your case there has to be an EventID_threat_indicated field present if you restore the pipeline function to actually do the set_fields(…) part.
Only thing I can think of is that you’re not doing the search correctly but that seems unlikely 