Skip to content

ESQL: Add more details on ENRICH vs. LOOKUP JOIN #125487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 24, 2025
Merged

ESQL: Add more details on ENRICH vs. LOOKUP JOIN #125487

merged 2 commits into from
Mar 24, 2025

Conversation

@alex-spies
Copy link
Contributor

I think it's good to point out one more difference: there are enrich policies that match on ranges or spatial relations, which is currently not supported in LOOKUP JOIN.

Other than that, this adds a couple of minor edits (typo fixes, slight rewordings)

@elasticsearchmachine elasticsearchmachine added Team:Docs Meta label for docs team Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo) labels Mar 24, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-docs (Team:Docs)

@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-analytical-engine (Team:Analytics)

alex-spies
alex-spies commented Mar 24, 2025
View reviewed changes
docs/reference/query-languages/esql/esql-enrich-data.md

* Enrichment data doesn't change frequently
* You can accept index-time overhead
* You are working with structured enrichment patterns
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't sure what this exactly means; maybe it's a bit too broad.

docs/reference/query-languages/esql/esql-lookup-join.md

* Your enrichment data changes frequently
* You want to avoid index-time processing
* You're working with regular indices
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was not entirely true, as lookup indices are still not perfectly the same as regular indices.

docs/reference/query-languages/esql/esql-lookup-join.md

The following are the current limitations with `LOOKUP JOIN`

* `LOOKUP JOIN` will be successful if the join field in the lookup index is a `KEYWORD` type. If the main index's join field is `TEXT` type, it must have an exact `.keyword` subfield that can be matched with the lookup index's `KEYWORD` field.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is already mentioned above and not a limitation per-se.

alex-spies
alex-spies commented Mar 24, 2025
View reviewed changes
docs/reference/query-languages/esql/esql-commands.md
Comment on lines +680 to 683
```esql
FROM <source_index>
| LOOKUP JOIN <lookup_index> ON <field_name>
```
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use esql formatting for the syntax in the other commands.

docs/reference/query-languages/esql/esql-commands.md
Comment on lines -685 to -688
```esql
FROM firewall_logs
| LOOKUP JOIN threat_list ON source.IP
| WHERE threat_level IS NOT NULL
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved this below to the other examples.

@leemthompo leemthompo added auto-backport Automatically create backport pull requests when merged and removed v8.18.1 v8.19.0 labels Mar 24, 2025
leemthompo
leemthompo approved these changes Mar 24, 2025
View reviewed changes
Copy link
Contributor

@leemthompo leemthompo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I removed 8.x labels because unfortunately we can't backport

@alex-spies
Copy link
Contributor Author

LGTM! I removed 8.x labels because unfortunately we can't backport
Thank you; I'll backport manually.

@alex-spies alex-spies merged commit f8536aa into elastic:main Mar 24, 2025
6 checks passed
@elasticsearchmachine
Copy link
Collaborator

💔 Backport failed

Status Branch Result
9.0 Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 125487

@alex-spies alex-spies deleted the docs-more-details-lookup-vs-enrich branch March 24, 2025 15:30
@alex-spies
Copy link
Contributor Author

Err, I think we don't backport to 9.0, either.

@alex-spies alex-spies removed auto-backport Automatically create backport pull requests when merged v9.0.1 backport pending labels Mar 24, 2025
alex-spies added a commit to alex-spies/elasticsearch that referenced this pull request Mar 24, 2025
@alex-spies
Manual backport of elastic#125487
322f272
@alex-spies alex-spies mentioned this pull request Mar 24, 2025
Merged
alex-spies added a commit that referenced this pull request Mar 25, 2025
@alex-spies
[8.x] ESQL: Add more details on ENRICH vs. LOOKUP JOIN #125487 (#125528)
274d1c6 
Manual backport of docs-PR #125487
@alex-spies alex-spies mentioned this pull request Mar 25, 2025
Merged
alex-spies added a commit to alex-spies/elasticsearch that referenced this pull request Mar 25, 2025
@alex-spies
[8.x] ESQL: Add more details on ENRICH vs. LOOKUP JOIN elastic#125487 (
9725f7a 
…elastic#125528)

Manual backport of docs-PR elastic#125487
elasticsearchmachine pushed a commit that referenced this pull request Mar 25, 2025
@alex-spies
[8.x] ESQL: Add more details on ENRICH vs. LOOKUP JOIN #125487 (#125528
b36a5ff 
…) (#125564)

Manual backport of docs-PR #125487
omricohenn pushed a commit to omricohenn/elasticsearch that referenced this pull request Mar 28, 2025
@alex-spies @omricohenn
ESQL: Add more details on ENRICH vs. LOOKUP JOIN to docs (elastic#125487
5bc429e 
)

* Add more details on ENRICH vs. LOOKUP JOIN
* Move example, fix syntax formatting
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leemthompo leemthompo leemthompo approved these changes

@georgewallace georgewallace Awaiting requested review from georgewallace

Assignees

No one assigned

Labels

:Analytics/ES|QL AKA ESQL >docs General docs changes Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo) Team:Docs Meta label for docs team v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alex-spies @elasticsearchmachine @leemthompo