diff --git a/docs/reference/query-languages/esql/esql-lookup-join.md b/docs/reference/query-languages/esql/esql-lookup-join.md
index 163323aa0d1bc..dc01cd2b0f9f7 100644
--- a/docs/reference/query-languages/esql/esql-lookup-join.md
+++ b/docs/reference/query-languages/esql/esql-lookup-join.md
@@ -122,7 +122,7 @@ FROM firewall_logs # The source index
 | LOOKUP JOIN threat_list ON source.ip # The lookup index and join field
 | WHERE threat_level IS NOT NULL # Filter for rows non-null threat levels
 | SORT timestamp # LOOKUP JOIN does not guarantee output order, so you must explicitly sort the results if needed
-| KEEP timestamp, source.ip, destination.ip, action, threat_level, threat_type # Keep only relevant fields
+| KEEP source.ip, action, threat_type, threat_level # Keep only relevant fields
 | LIMIT 10 # Limit the output to 10 rows
 ```
 
@@ -130,13 +130,11 @@ FROM firewall_logs # The source index
 
 A successful query will output a table. In this example, you can see that the `source.ip` field from the `firewall_logs` index is matched with the `source.ip` field in the `threat_list` index, and the corresponding `threat_level` and `threat_type` fields are added to the output.
 
-```
-   source.ip   |    action     |  threat_type  | threat_level  
----------------+---------------+---------------+---------------
-203.0.113.5    |allow          |C2_SERVER      |high           
-198.51.100.2   |block          |SCANNER        |medium         
-203.0.113.5    |allow          |C2_SERVER      |high        
-```
+|source.ip|action|threat_type|threat_level|
+|---|---|---|---|
+|203.0.113.5|allow|C2_SERVER|high|
+|198.51.100.2|block|SCANNER|medium|
+|203.0.113.5|allow|C2_SERVER|high|
 
 ### Additional examples