Trang chủ Khám phá Trợ giúp
Đăng nhập
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Các tập tin Các vấn đề 0 Wiki
Tree: 546a20a6d4
Branches Tags
elasticsearch
/
docs
/
reference
/
esql
/
esql-lookup-join.asciidoc

esql-lookup-join.asciidoc 6.2 KB
Lịch sử Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184 
  1. === LOOKUP JOIN
    2. 

  2. 

  3. ++++
    4. 

  4. <titleabbrev>Correlate data with LOOKUP JOIN</titleabbrev>
    5. 

  5. ++++
    6. 

  6. 

  7. The {esql} <<esql-lookup-join,LOOKUP join>> 
    8. 

  8. processing command combines data from your {esql} query results
    9. 

  9. table with matching records from a specified lookup index. It adds
    10. 

  10. fields from the lookup index as new columns to your results table based
    11. 

  11. on matching values in the join field.
    12. 

  12. 

  13. Teams often have data scattered across multiple indices – like logs,
    14. 

  14. IPs, user IDs, hosts, employees etc. Without a direct way to enrich or
    15. 

  15. correlate each event with reference data, root-cause analysis, security
    16. 

  16. checks, and operational insights become time-consuming.
    17. 

  17. 

  18. For example, you can use `LOOKUP JOIN` to:
    19. 

  19. 

  20. * Retrieve environment or ownership details for each host to correlate
    21. 

  21. your metrics data.
    22. 

  22. * Quickly see if any source IPs match known malicious addresses.
    23. 

  23. * Tag logs with the owning team or escalation info for faster triage and
    24. 

  24. incident response.
    25. 

  25. 

  26. <<esql-lookup-join,LOOKUP join>> is similar to <<esql-enrich-data,ENRICH>>
    27. 

  27. in the fact that they both help you join data together. You should use
    28. 

  28. `LOOKUP JOIN` when:
    29. 

  29. 

  30. * Your enrichment data changes frequently
    31. 

  31. * You want to avoid index-time processing
    32. 

  32. * You're working with regular indices
    33. 

  33. * You need to preserve distinct matches
    34. 

  34. * You need to match on any field in a lookup index
    35. 

  35. * You use document or field level security
    36. 

  36. * You want to restrict users to a specific lookup indices that they can
    37. 

  37. you
    38. 

  38. 

  39. [discrete]
    40. 

  40. [[esql-how-lookup-join-works]]
    41. 

  41. ==== How the `LOOKUP JOIN` command works
    42. 

  42. 

  43. The `LOOKUP JOIN` command adds new columns to a table, with data from
    44. 

  44. {es} indices.
    45. 

  45. 

  46. image::images/esql/esql-lookup-join.png[align="center"]
    47. 

  47. 

  48. [[esql-lookup-join-lookup-index]]
    49. 

  49. lookup_index::
    50. 

  50. The name of the lookup index. This must
    51. 

  51. be a specific index name - wildcards, aliases, and remote cluster
    52. 

  52. references are not supported.
    53. 

  53. 

  54. [[esql-lookup-join-field-name]]
    55. 

  55. field_name::
    56. 

  56. The field to join on. This field must exist
    57. 

  57. in both your current query results and in the lookup index. If the field
    58. 

  58. contains multi-valued entries, those entries will not match anything
    59. 

  59. (the added fields will contain `null` for those rows).
    60. 

  60. 

  61. [discrete]
    62. 

  62. [[esql-lookup-join-example]]
    63. 

  63. ==== Example
    64. 

  64. 

  65. `LOOKUP JOIN` has left-join behavior. If no rows match in the looked index, `LOOKUP JOIN` retains the incoming row and adds `null`s. If many rows in the lookedup index match, `LOOKUP JOIN` adds one row per match.
    66. 

  66. 

  67. In this example, we have two sample tables:
    68. 

  68. 

  69. *employees*
    70. 

  70. 

  71. [cols=",,,,,",options="header",]
    72. 

  72. |===
    73. 

  73. |birth++_++date |emp++_++no |first++_++name |gender |hire++_++date
    74. 

  74. |language
    75. 

  75. |1955-10-04T00:00:00Z |10091 |Amabile |M |1992-11-18T00:00:00Z |3
    76. 

  76. 

  77. |1964-10-18T00:00:00Z |10092 |Valdiodio |F |1989-09-22T00:00:00Z |1
    78. 

  78. 

  79. |1964-06-11T00:00:00Z |10093 |Sailaja |M |1996-11-05T00:00:00Z |3
    80. 

  80. 

  81. |1957-05-25T00:00:00Z |10094 |Arumugam |F |1987-04-18T00:00:00Z |5
    82. 

  82. 

  83. |1965-01-03T00:00:00Z |10095 |Hilari |M |1986-07-15T00:00:00Z |4
    84. 

  84. |===
    85. 

  85. 

  86. *languages++_++non++_++unique++_++key*
    87. 

  87. 

  88. [cols=",,",options="header",]
    89. 

  89. |===
    90. 

  90. |language++_++code |language++_++name |country
    91. 

  91. |1 |English |Canada
    92. 

  92. |1 |English |
    93. 

  93. |1 | |United Kingdom
    94. 

  94. |1 |English |United States of America
    95. 

  95. |2 |German |++[++Germany{vbar}Austria++]++
    96. 

  96. |2 |German |Switzerland
    97. 

  97. |2 |German |
    98. 

  98. |4 |Quenya |
    99. 

  99. |5 | |Atlantis
    100. 

  100. |++[++6{vbar}7++]++ |Mv-Lang |Mv-Land
    101. 

  101. |++[++7{vbar}8++]++ |Mv-Lang2 |Mv-Land2
    102. 

  102. |Null-Lang |Null-Land |
    103. 

  103. |Null-Lang2 |Null-Land2 |
    104. 

  104. |===
    105. 

  105. 

  106. Running the following query would provide the results shown below.
    107. 

  107. 

  108. [source,esql]
    109. 

  109. ----
    110. 

  110. FROM employees
    111. 

  111. | EVAL language_code = emp_no % 10
    112. 

  112. | LOOKUP JOIN languages_lookup_non_unique_key ON language_code
    113. 

  113. | WHERE emp_no > 10090 AND emp_no < 10096
    114. 

  114. | SORT emp_no, country
    115. 

  115. | KEEP emp_no, language_code, language_name, country;
    116. 

  116. ----
    117. 

  117. 

  118. [cols=",,,",options="header",]
    119. 

  119. |===
    120. 

  120. |emp++_++no |language++_++code |language++_++name |country
    121. 

  121. |10091 |1 |English |Canada
    122. 

  122. |10091 |1 |null |United Kingdom
    123. 

  123. |10091 |1 |English |United States of America
    124. 

  124. |10091 |1 |English |null
    125. 

  125. |10092 |2 |German |++[++Germany, Austria++]++
    126. 

  126. |10092 |2 |German |Switzerland
    127. 

  127. |10092 |2 |German |null
    128. 

  128. |10093 |3 |null |null
    129. 

  129. |10094 |4 |Spanish |null
    130. 

  130. |10095 |5 |null |France
    131. 

  131. |===
    132. 

  132. 

  133. [IMPORTANT]
    134. 

  134. ====
    135. 

  135. `LOOKUP JOIN` does not guarantee the output to be in
    136. 

  136. any particular order. If a certain order is required, users should use a
    137. 

  137. <<esql-sort,`SORT`>> somewhere after the `LOOKUP JOIN`.
    138. 

  138. ====
    139. 

  139. 

  140. [discrete]
    141. 

  141. [[esql-lookup-join-prereqs]]
    142. 

  142. ==== Prerequisites
    143. 

  143. 

  144. To use `LOOKUP JOIN`, the following requirements must be met:
    145. 

  145. 

  146. * *Compatible data types*: The join key and join field in the lookup
    147. 

  147. index must have compatible data types. This means:
    148. 

  148. ** The data types must either be identical or be internally represented
    149. 

  149. as the same type in Elasticsearch's type system
    150. 

  150. ** Numeric types follow these compatibility rules:
    151. 

  151. *** `short` and `byte` are compatible with `integer` (all represented as
    152. 

  152. `int`)
    153. 

  153. *** `float`, `half_float`, and `scaled_float` are compatible
    154. 

  154. with `double` (all represented as `double`)
    155. 

  155. ** For text fields: You can use text fields on the left-hand side of the
    156. 

  156. join only if they have a `.keyword` subfield
    157. 

  157. 

  158. For a complete list of supported data types and their internal
    159. 

  159. representations, see the <<esql-supported-types,Supported Field Types documentation>>.
    160. 

  160. 

  161. [discrete]
    162. 

  162. [[esql-lookup-join-limitations]]
    163. 

  163. ==== Limitations
    164. 

  164. 

  165. The following are the current limitations with `LOOKUP JOIN`
    166. 

  166. 

  167. * `LOOKUP JOIN` will be successful if the join field in the lookup index
    168. 

  168. is a `KEYWORD` type. If the main index's join field is `TEXT` type, it
    169. 

  169. must have an exact `.keyword` subfield that can be matched with the
    170. 

  170. lookup index's `KEYWORD` field.
    171. 

  171. * Indices in <<index-mode-setting,lookup>> mode are always single-sharded.
    172. 

  172. * Cross cluster search is unsupported. Both source and lookup indices
    173. 

  173. must be local.
    174. 

  174. * `LOOKUP JOIN` can only use a single match field and a single index.
    175. 

  175. Wildcards, aliases, datemath, and datastreams are not supported.
    176. 

  176. * The name of the match field in
    177. 

  177. `LOOKUP JOIN lu++_++idx ON match++_++field` must match an existing field
    178. 

  178. in the query. This may require renames or evals to achieve.
    179. 

  179. * The query will circuit break if there are too many matching documents
    180. 

  180. in the lookup index, or if the documents are too large. More precisely,
    181. 

  181. `LOOKUP JOIN` works in batches of, normally, about 10,000 rows; a large
    182. 

  182. amount of heap space is needed if the matching documents from the lookup
    183. 

  183. index for a batch are multiple megabytes or larger. This is roughly the
    184. 

  184. same as for `ENRICH`.
    185.