Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: f9fd055aef
Branches Tags
elasticsearch
/
docs
/
reference
/
esql
/
esql-lookup-join.asciidoc

esql-lookup-join.asciidoc 6.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183 
  1. === LOOKUP JOIN
    2. 

  2. 

  3. ++++
    4. 

  4. <titleabbrev>Correlate data with LOOKUP JOIN</titleabbrev>
    5. 

  5. ++++
    6. 

  6. 

  7. The {esql} <<esql-lookup-join,LOOKUP join>>
    8. 

  8. processing command combines data from your {esql} query results
    9. 

  9. table with matching records from a specified lookup index. It adds
    10. 

  10. fields from the lookup index as new columns to your results table based
    11. 

  11. on matching values in the join field.
    12. 

  12. 

  13. Teams often have data scattered across multiple indices – like logs,
    14. 

  14. IPs, user IDs, hosts, employees etc. Without a direct way to enrich or
    15. 

  15. correlate each event with reference data, root-cause analysis, security
    16. 

  16. checks, and operational insights become time-consuming.
    17. 

  17. 

  18. For example, you can use `LOOKUP JOIN` to:
    19. 

  19. 

  20. * Retrieve environment or ownership details for each host to correlate
    21. 

  21. your metrics data.
    22. 

  22. * Quickly see if any source IPs match known malicious addresses.
    23. 

  23. * Tag logs with the owning team or escalation info for faster triage and
    24. 

  24. incident response.
    25. 

  25. 

  26. <<esql-lookup-join,LOOKUP join>> is similar to <<esql-enrich-data,ENRICH>>
    27. 

  27. in the fact that they both help you join data together. You should use
    28. 

  28. `LOOKUP JOIN` when:
    29. 

  29. 

  30. * Your enrichment data changes frequently
    31. 

  31. * You want to avoid index-time processing
    32. 

  32. * You want SQL-like behavior, so that multiple matches result in multiple rows
    33. 

  33. * You need to match on any field in a lookup index
    34. 

  34. * You use document or field level security
    35. 

  35. * You want to restrict users to use only specific lookup indices
    36. 

  36. * You do not need to match using ranges or spatial relations
    37. 

  37. 

  38. [discrete]
    39. 

  39. [[esql-how-lookup-join-works]]
    40. 

  40. ==== How the `LOOKUP JOIN` command works
    41. 

  41. 

  42. The `LOOKUP JOIN` command adds new columns to a table, with data from
    43. 

  43. {es} indices.
    44. 

  44. 

  45. image::images/esql/esql-lookup-join.png[align="center"]
    46. 

  46. 

  47. [[esql-lookup-join-lookup-index]]
    48. 

  48. lookup_index::
    49. 

  49. The name of the lookup index. This must
    50. 

  50. be a specific index name - wildcards, aliases, and remote cluster
    51. 

  51. references are not supported.
    52. 

  52. 

  53. [[esql-lookup-join-field-name]]
    54. 

  54. field_name::
    55. 

  55. The field to join on. This field must exist
    56. 

  56. in both your current query results and in the lookup index. If the field
    57. 

  57. contains multi-valued entries, those entries will not match anything
    58. 

  58. (the added fields will contain `null` for those rows).
    59. 

  59. 

  60. [discrete]
    61. 

  61. [[esql-lookup-join-example]]
    62. 

  62. ==== Example
    63. 

  63. 

  64. `LOOKUP JOIN` has left-join behavior. If no rows match in the lookup index, `LOOKUP JOIN` retains the incoming row and adds nulls. If many rows in the lookup index match, `LOOKUP JOIN` adds one row per match.
    65. 

  65. 

  66. In this example, we have two sample tables:
    67. 

  67. 

  68. *employees*
    69. 

  69. 

  70. [cols=",,,,,",options="header",]
    71. 

  71. |===
    72. 

  72. |birth++_++date |emp++_++no |first++_++name |gender |hire++_++date
    73. 

  73. |language
    74. 

  74. |1955-10-04T00:00:00Z |10091 |Amabile |M |1992-11-18T00:00:00Z |3
    75. 

  75. 

  76. |1964-10-18T00:00:00Z |10092 |Valdiodio |F |1989-09-22T00:00:00Z |1
    77. 

  77. 

  78. |1964-06-11T00:00:00Z |10093 |Sailaja |M |1996-11-05T00:00:00Z |3
    79. 

  79. 

  80. |1957-05-25T00:00:00Z |10094 |Arumugam |F |1987-04-18T00:00:00Z |5
    81. 

  81. 

  82. |1965-01-03T00:00:00Z |10095 |Hilari |M |1986-07-15T00:00:00Z |4
    83. 

  83. |===
    84. 

  84. 

  85. *languages++_++non++_++unique++_++key*
    86. 

  86. 

  87. [cols=",,",options="header",]
    88. 

  88. |===
    89. 

  89. |language++_++code |language++_++name |country
    90. 

  90. |1 |English |Canada
    91. 

  91. |1 |English |
    92. 

  92. |1 | |United Kingdom
    93. 

  93. |1 |English |United States of America
    94. 

  94. |2 |German |++[++Germany{vbar}Austria++]++
    95. 

  95. |2 |German |Switzerland
    96. 

  96. |2 |German |
    97. 

  97. |4 |Quenya |
    98. 

  98. |5 | |Atlantis
    99. 

  99. |++[++6{vbar}7++]++ |Mv-Lang |Mv-Land
    100. 

  100. |++[++7{vbar}8++]++ |Mv-Lang2 |Mv-Land2
    101. 

  101. |Null-Lang |Null-Land |
    102. 

  102. |Null-Lang2 |Null-Land2 |
    103. 

  103. |===
    104. 

  104. 

  105. Running the following query would provide the results shown below.
    106. 

  106. 

  107. [source,esql]
    108. 

  108. ----
    109. 

  109. FROM employees
    110. 

  110. | EVAL language_code = emp_no % 10
    111. 

  111. | LOOKUP JOIN languages_lookup_non_unique_key ON language_code
    112. 

  112. | WHERE emp_no > 10090 AND emp_no < 10096
    113. 

  113. | SORT emp_no, country
    114. 

  114. | KEEP emp_no, language_code, language_name, country;
    115. 

  115. ----
    116. 

  116. 

  117. [cols=",,,",options="header",]
    118. 

  118. |===
    119. 

  119. |emp++_++no |language++_++code |language++_++name |country
    120. 

  120. |10091 |1 |English |Canada
    121. 

  121. |10091 |1 |null |United Kingdom
    122. 

  122. |10091 |1 |English |United States of America
    123. 

  123. |10091 |1 |English |null
    124. 

  124. |10092 |2 |German |++[++Germany, Austria++]++
    125. 

  125. |10092 |2 |German |Switzerland
    126. 

  126. |10092 |2 |German |null
    127. 

  127. |10093 |3 |null |null
    128. 

  128. |10094 |4 |Spanish |null
    129. 

  129. |10095 |5 |null |France
    130. 

  130. |===
    131. 

  131. 

  132. [IMPORTANT]
    133. 

  133. ====
    134. 

  134. `LOOKUP JOIN` does not guarantee the output to be in
    135. 

  135. any particular order. If a certain order is required, users should use a
    136. 

  136. <<esql-sort,`SORT`>> somewhere after the `LOOKUP JOIN`.
    137. 

  137. ====
    138. 

  138. 

  139. [discrete]
    140. 

  140. [[esql-lookup-join-prereqs]]
    141. 

  141. ==== Prerequisites
    142. 

  142. 

  143. To use `LOOKUP JOIN`, the following requirements must be met:
    144. 

  144. 

  145. * *Compatible data types*: The join key and join field in the lookup
    146. 

  146. index must have compatible data types. This means:
    147. 

  147. ** The data types must either be identical or be internally represented
    148. 

  148. as the same type in {esql}
    149. 

  149. ** Numeric types follow these compatibility rules:
    150. 

  150. *** `short` and `byte` are compatible with `integer` (all represented as
    151. 

  151. `int`)
    152. 

  152. *** `float`, `half_float`, and `scaled_float` are compatible
    153. 

  153. with `double` (all represented as `double`)
    154. 

  154. ** For text fields: You can only use text fields as the join key on the
    155. 

  155. left-hand side of the join and only if they have a `.keyword` subfield
    156. 

  156. 

  157. To obtain a join key with a compatible type, use a
    158. 

  158. <<esql-type-conversion-functions,conversion function>> if needed.
    159. 

  159. 

  160. For a complete list of supported data types and their internal
    161. 

  161. representations, see the <<esql-supported-types,Supported Field Types documentation>>.
    162. 

  162. 

  163. [discrete]
    164. 

  164. [[esql-lookup-join-limitations]]
    165. 

  165. ==== Limitations
    166. 

  166. 

  167. The following are the current limitations with `LOOKUP JOIN`
    168. 

  168. 

  169. * Indices in <<index-mode-setting,lookup>> mode are always single-sharded.
    170. 

  170. * Cross cluster search is unsupported initially. Both source and lookup indices
    171. 

  171. must be local.
    172. 

  172. * Currently, only matching on equality is supported.
    173. 

  173. * `LOOKUP JOIN` can only use a single match field and a single index.
    174. 

  174. Wildcards, aliases, datemath, and datastreams are not supported.
    175. 

  175. * The name of the match field in
    176. 

  176. `LOOKUP JOIN lu++_++idx ON match++_++field` must match an existing field
    177. 

  177. in the query. This may require renames or evals to achieve.
    178. 

  178. * The query will circuit break if there are too many matching documents
    179. 

  179. in the lookup index, or if the documents are too large. More precisely,
    180. 

  180. `LOOKUP JOIN` works in batches of, normally, about 10,000 rows; a large
    181. 

  181. amount of heap space is needed if the matching documents from the lookup
    182. 

  182. index for a batch are multiple megabytes or larger. This is roughly the
    183. 

  183. same as for `ENRICH`.
    184.