Change documentation

julian-elastic · julian-elastic · commit 71adaa86454d · 2025-07-23T14:24:09.000-04:00
diff --git a/docs/reference/query-languages/esql/esql-lookup-join.md b/docs/reference/query-languages/esql/esql-lookup-join.md
@@ -1,24 +1,41 @@
 ---
 navigation_title: "Join data with LOOKUP JOIN"
 mapped_pages:
- - https://www.elastic.co/guide/en/elasticsearch/reference/8.18/_lookup_join.html
+  - https://www.elastic.co/guide/en/elasticsearch/reference/8.18/_lookup_join.html
 ---
 
-# Join data from multiple indices with `LOOKUP JOIN` [esql-lookup-join-reference]
+# Join data from multiple indices with
 
-The {{esql}} [`LOOKUP JOIN`](/reference/query-languages/esql/commands/processing-commands.md#esql-lookup-join) processing command combines data from your {{esql}} query results table with matching records from a specified lookup index. It adds fields from the lookup index as new columns to your results table based on matching values in the join field.
+`LOOKUP JOIN` [esql-lookup-join-reference]
 
-Teams often have data scattered across multiple indices – like logs, IPs, user IDs, hosts, employees etc. Without a direct way to enrich or correlate each event with reference data, root-cause analysis, security checks, and operational insights become time-consuming.
+The {{esql}} [
+`LOOKUP JOIN`](/reference/query-languages/esql/commands/processing-commands.md#esql-lookup-join)
+processing command combines data from your {{esql}} query results table with
+matching records from a specified lookup index. It adds fields from the lookup
+index as new columns to your results table based on matching values in the join
+field.
+
+Teams often have data scattered across multiple indices – like logs, IPs, user
+IDs, hosts, employees etc. Without a direct way to enrich or correlate each
+event with reference data, root-cause analysis, security checks, and operational
+insights become time-consuming.
 
 For example, you can use `LOOKUP JOIN` to:
 
-* Retrieve environment or ownership details for each host to correlate your metrics data.
+* Retrieve environment or ownership details for each host to correlate your
+  metrics data.
 * Quickly see if any source IPs match known malicious addresses.
-* Tag logs with the owning team or escalation info for faster triage and incident response.
+* Tag logs with the owning team or escalation info for faster triage and
+  incident response.
 
 ## Compare with `ENRICH`
 
-[`LOOKUP JOIN`](/reference/query-languages/esql/commands/processing-commands.md#esql-lookup-join) is similar to [`ENRICH`](/reference/query-languages/esql/commands/processing-commands.md#esql-enrich) in the fact that they both help you join data together. You should use `LOOKUP JOIN` when:
+[
+`LOOKUP JOIN`](/reference/query-languages/esql/commands/processing-commands.md#esql-lookup-join)
+is similar to [
+`ENRICH`](/reference/query-languages/esql/commands/processing-commands.md#esql-enrich)
+in the fact that they both help you join data together. You should use
+`LOOKUP JOIN` when:
 
 * Your enrichment data changes frequently
 * You want to avoid index-time processing
@@ -30,27 +47,36 @@ For example, you can use `LOOKUP JOIN` to:
 
 ## How the command works [esql-how-lookup-join-works]
 
-The `LOOKUP JOIN` command adds fields from the lookup index as new columns to your results table based on matching values in the join field.
+The `LOOKUP JOIN` command adds fields from the lookup index as new columns to
+your results table based on matching values in the join field.
 
 The command requires two parameters:
-- The name of the lookup index (which must have the `lookup` [`index.mode setting`](/reference/elasticsearch/index-settings/index-modules.md#index-mode-setting))
+
+- The name of the lookup index (which must have the `lookup` [
+  `index.mode setting`](/reference/elasticsearch/index-settings/index-modules.md#index-mode-setting))
 - The name of the field to join on
 
 ```esql
 LOOKUP JOIN <lookup_index> ON <field_name>
 ```
 
 :::{image} ../images/esql-lookup-join.png
-:alt: Illustration of the `LOOKUP JOIN` command, where the input table is joined with a lookup index to create an enriched output table.
+:alt: Illustration of the `LOOKUP JOIN` command, where the input table is joined
+with a lookup index to create an enriched output table.
 :::
 
-If you're familiar with SQL, `LOOKUP JOIN` has left-join behavior. This means that if no rows match in the lookup index, the incoming row is retained and `null`s are added. If many rows in the lookup index match, `LOOKUP JOIN` adds one row per match.
+If you're familiar with SQL, `LOOKUP JOIN` has left-join behavior. This means
+that if no rows match in the lookup index, the incoming row is retained and
+`null`s are added. If many rows in the lookup index match, `LOOKUP JOIN` adds
+one row per match.
 
 ## Example
 
-You can run this example for yourself if you'd like to see how it works, by setting up the indices and adding sample data.
+You can run this example for yourself if you'd like to see how it works, by
+setting up the indices and adding sample data.
 
 ### Sample data
+
 :::{dropdown} Expand for setup instructions
 
 **Set up indices**
@@ -73,6 +99,7 @@ PUT threat_list
   }
 }
 ```
+
 ```console
 PUT firewall_logs
 {
@@ -90,7 +117,9 @@ PUT firewall_logs
 
 **Add sample data**
 
-Next, let's add some sample data to both indices. The `threat_list` index contains known malicious IPs, while the `firewall_logs` index contains logs of network traffic.
+Next, let's add some sample data to both indices. The `threat_list` index
+contains known malicious IPs, while the `firewall_logs` index contains logs of
+network traffic.
 
 ```console
 POST threat_list/_bulk
@@ -113,6 +142,7 @@ POST firewall_logs/_bulk
 {"index":{}}
 {"timestamp":"2025-04-23T10:00:30Z","source.ip":"192.0.2.1","destination.ip":"10.0.0.100","action":"allow","bytes_transferred":512}
 ```
+
 :::
 
 ### Query the data
@@ -128,31 +158,38 @@ FROM firewall_logs # The source index
 
 ### Response
 
-A successful query will output a table. In this example, you can see that the `source.ip` field from the `firewall_logs` index is matched with the `source.ip` field in the `threat_list` index, and the corresponding `threat_level` and `threat_type` fields are added to the output.
+A successful query will output a table. In this example, you can see that the
+`source.ip` field from the `firewall_logs` index is matched with the `source.ip`
+field in the `threat_list` index, and the corresponding `threat_level` and
+`threat_type` fields are added to the output.
 
-|source.ip|action|threat_type|threat_level|
-|---|---|---|---|
-|203.0.113.5|allow|C2_SERVER|high|
-|198.51.100.2|block|SCANNER|medium|
-|203.0.113.5|allow|C2_SERVER|high|
+| source.ip    | action | threat_type | threat_level |
+|--------------|--------|-------------|--------------|
+| 203.0.113.5  | allow  | C2_SERVER   | high         |
+| 198.51.100.2 | block  | SCANNER     | medium       |
+| 203.0.113.5  | allow  | C2_SERVER   | high         |
 
 ### Additional examples
 
-Refer to the examples section of the [`LOOKUP JOIN`](/reference/query-languages/esql/commands/processing-commands.md#esql-lookup-join) command reference for more examples.
+Refer to the examples section of the [
+`LOOKUP JOIN`](/reference/query-languages/esql/commands/processing-commands.md#esql-lookup-join)
+command reference for more examples.
 
 ## Prerequisites [esql-lookup-join-prereqs]
 
 ### Index configuration
 
-Indices used for lookups must be configured with the [`lookup` index mode](/reference/elasticsearch/index-settings/index-modules.md#index-mode-setting).
+Indices used for lookups must be configured with the [
+`lookup` index mode](/reference/elasticsearch/index-settings/index-modules.md#index-mode-setting).
 
 ### Data type compatibility
 
-Join keys must have compatible data types between the source and lookup indices. Types within the same compatibility group can be joined together:
+Join keys must have compatible data types between the source and lookup indices.
+Types within the same compatibility group can be joined together:
 
 | Compatibility group    | Types                                                                               | Notes                                                                            |
 |------------------------|-------------------------------------------------------------------------------------|----------------------------------------------------------------------------------|
-| **Numeric family**     | `byte`, `short`, `integer`, `long`, `half_float`, `float`, `scaled_float`, `double` | All compatible                    |
+| **Numeric family**     | `byte`, `short`, `integer`, `long`, `half_float`, `float`, `scaled_float`, `double` | All compatible                                                                   |
 | **Keyword family**     | `keyword`, `text.keyword`                                                           | Text fields only as join key on left-hand side and must have `.keyword` subfield |
 | **Date (Exact)**       | `date`                                                                              | Must match exactly                                                               |
 | **Date Nanos (Exact)** | `date_nanos`                                                                        | Must match exactly                                                               |
@@ -164,7 +201,9 @@ To obtain a join key with a compatible type, use a [conversion function](/refere
 
 ### Unsupported Types
 
-In addition to the [{{esql}} unsupported field types](/reference/query-languages/esql/limitations.md#_unsupported_types), `LOOKUP JOIN` does not support:
+In addition to
+the [{{esql}} unsupported field types](/reference/query-languages/esql/limitations.md#_unsupported_types),
+`LOOKUP JOIN` does not support:
 
 * `VERSION`
 * `UNSIGNED_LONG`
@@ -177,11 +216,14 @@ For a complete list of all types supported in `LOOKUP JOIN`, refer to the [`LOOK
 
 ## Usage notes
 
-This section covers important details about `LOOKUP JOIN` that impact query behavior and results. Review these details to ensure your queries work as expected and to troubleshoot unexpected results.
+This section covers important details about `LOOKUP JOIN` that impact query
+behavior and results. Review these details to ensure your queries work as
+expected and to troubleshoot unexpected results.
 
 ### Handling name collisions
 
-When fields from the lookup index match existing column names, the new columns override the existing ones.
+When fields from the lookup index match existing column names, the new columns
+override the existing ones.
 Before the `LOOKUP JOIN` command, preserve columns by either:
 
 * Using `RENAME` to assign non-conflicting names
@@ -197,10 +239,24 @@ any `LOOKUP JOIN`s.
 
 The following are the current limitations with `LOOKUP JOIN`:
 
-* Indices in [`lookup` mode](/reference/elasticsearch/index-settings/index-modules.md#index-mode-setting) are always single-sharded.
-* Cross cluster search is unsupported initially. Both source and lookup indices must be local.
+* Indices in [
+  `lookup` mode](/reference/elasticsearch/index-settings/index-modules.md#index-mode-setting)
+  are always single-sharded.
+* Cross cluster search is unsupported initially. Both source and lookup indices
+  must be local.
 * Currently, only matching on equality is supported.
-* `LOOKUP JOIN` can only use a single match field and a single index. Wildcards are not supported.
-  * Aliases, datemath, and datastreams are supported, as long as the index pattern matches a single concrete index {applies_to}`stack: ga 9.1.0`.
-* The name of the match field in `LOOKUP JOIN lu_idx ON match_field` must match an existing field in the query. This may require `RENAME`s or `EVAL`s to achieve.
-* The query will circuit break if there are too many matching documents in the lookup index, or if the documents are too large. More precisely, `LOOKUP JOIN` works in batches of, normally, about 10,000 rows; a large amount of heap space is needed if the matching documents from the lookup index for a batch are multiple megabytes or larger. This is roughly the same as for `ENRICH`.
+* `LOOKUP JOIN` can only use a single match field and a single index. Wildcards
+  are not supported.
+    * Aliases, datemath, and datastreams are supported, as long as the index
+      pattern matches a single concrete index {applies_to}`stack: ga 9.1.0`.
+    * Limitation on matching on a single field is removed. You can use a
+      comma separated list of fields in the `ON` clause
+      {applies_to}`stack: ga 9.2.0`.
+* The name of the match field in `LOOKUP JOIN lu_idx ON match_field` must match
+  an existing field in the query. This may require `RENAME`s or `EVAL`s to
+  achieve.
+* The query will circuit break if there are too many matching documents in the
+  lookup index, or if the documents are too large. More precisely, `LOOKUP JOIN`
+  works in batches of, normally, about 10,000 rows; a large amount of heap space
+  is needed if the matching documents from the lookup index for a batch are
+  multiple megabytes or larger. This is roughly the same as for `ENRICH`.
