Add lookup (#234)

tothmano · web-flow · commit f7c5267e272c · 2025-03-04T10:32:43.000+01:00
diff --git a/apl/tabular-operators/join-operator.mdx b/apl/tabular-operators/join-operator.mdx
@@ -113,10 +113,9 @@ LeftDataset
 - `LeftDataset`: The first dataset, also known as the outer dataset or the left side of the join. If you expect one of the datasets to contain consistently less data than the other, specify the smaller dataset as the left side of the join.
 - `RightDataset`: The second dataset, also known as the inner dataset or the right side of the join.
 - `KindOfJoin`: Optionally, the [kind of join](#kinds-of-join) to perform.
-- `Conditions`: The conditions for matching rows. The conditions are equality expressions that determine how Axiom matches rows from the `LeftDataset` (left side of the equality expression) with rows from the `RightDataset` (right side of the equality expression)).
+- `Conditions`: The conditions for matching rows. The conditions are equality expressions that determine how Axiom matches rows from the `LeftDataset` (left side of the equality expression) with rows from the `RightDataset` (right side of the equality expression). The two sides of the equality expression must have the same data type.
     - To join datasets on a field that has the same name in the two datasets, simply use the field name. For example, `on id`.
     - To join datasets on a field that has different names in the two datasets, define the two field names in an equality expression such as `on id == trace_id`.
-    - The two sides of the equality expression must have the same data type.
     - You can use expressions in the join conditions. For example, to compare two fields of different data types, use `on id_string == tostring(trace_id_int)`.
     - You can define multiple join conditions. To separate conditions, use commas (`,`). Don’t use `and`. For example, `on id == trace_id, span == span_id`.
 
diff --git a/apl/tabular-operators/lookup-operator.mdx b/apl/tabular-operators/lookup-operator.mdx
@@ -0,0 +1,131 @@
+---
+title: lookup
+description: 'This page explains how to use the lookup operator in APL.'
+---
+
+The `lookup` operator extends a primary dataset with a lookup table based on a specified key column. It retrieves matching rows from the lookup table and appends relevant fields to the primary dataset. You can use `lookup` for enriching event data, adding contextual information, or correlating logs with reference tables.
+
+The `lookup` operator is useful when:
+
+- You need to enrich log events with additional metadata, such as mapping user IDs to user profiles.
+- You want to correlate security logs with threat intelligence feeds.
+- You need to extend OpenTelemetry traces with supplementary details, such as service dependencies.
+
+## For users of other query languages
+
+If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
+
+<AccordionGroup>
+<Accordion title="Splunk SPL users">
+
+In Splunk SPL, the `lookup` command performs a similar function by enriching event data with fields from an external lookup table. However, unlike Splunk, APL’s `lookup` operator only performs an inner join.
+
+<CodeGroup>
+```sql Splunk example
+index=web_logs | lookup port_lookup port AS client_port OUTPUT service_name
+```
+
+```kusto APL equivalent
+['sample-http-logs']
+| lookup kind=inner ['port_lookup'] on port
+```
+</CodeGroup>
+
+</Accordion>
+<Accordion title="ANSI SQL users">
+
+In ANSI SQL, `lookup` is similar to an `INNER JOIN`, where records from both tables are matched based on a common key. Unlike SQL, APL does not support other types of joins in `lookup`.
+
+<CodeGroup>
+```sql SQL example
+SELECT logs.*, ports.service_name 
+FROM logs
+INNER JOIN port_lookup ports ON logs.port = ports.port;
+```
+
+```kusto APL equivalent
+['sample-http-logs']
+| lookup kind=inner ['port_lookup'] on port
+```
+</CodeGroup>
+
+</Accordion>
+</AccordionGroup>
+
+## Usage
+
+### Syntax
+
+```kusto
+PrimaryDataset
+| lookup kind=KindOfLookup LookupTable on Conditions
+```
+
+### Parameters
+
+- `PrimaryDataset`: The primary dataset that you want to extend. If you expect one of the tables to contain consistently more data than the other, specify the larger table as the primary dataset.
+- `LookupTable`: The data table containing additional data, also known as the dimension table or lookup table.
+- `KindOfLookup`: Optionally, specifies the lookup type as `leftouter` or `inner`. The default is `leftouter`.
+    - `leftouter` lookup includes all rows from the primary dataset even if they don’t match the conditions. In unmatched rows, the new fields contain nulls.
+    - `inner` lookup only includes rows from the primary dataset if they match the conditions. Unmatched rows are excluded from the output.
+- `Conditions`: The conditions for matching rows from `PrimaryDataset` to rows from `LookupTable`. The conditions are equality expressions that determine how Axiom matches rows from the `PrimaryDataset` (left side of the equality expression) with rows from the `LookupTable` (right side of the equality expression). The two sides of the equality expression must have the same data type.
+    - To use `lookup` on a key column that has the same name in the primary dataset and the lookup table, simply use the field name. For example, `on id`.
+    - To use `lookup` on a key column that has different names in the primary dataset and the lookup table, define the two field names in an equality expression such as `on id == trace_id`.
+    - You can define multiple conditions. To separate conditions, use commas (`,`). Don’t use `and`. For example, `on id == trace_id, span == span_id`.
+
+### Returns
+
+A dataset where rows from `PrimaryDataset` are enriched with matching columns from `LookupTable` based on the key column.
+
+## Use case example
+
+Add a field with human-readable names for each service.
+
+**Query**
+
+```kusto
+let LookupTable=datatable(serviceName:string, humanreadableServiceName:string)[
+	'frontend', 'Frontend',
+	'frontendproxy', 'Frontend proxy',
+	'flagd', 'Flagd',
+	'productcatalogservice', 'Product catalog',
+	'loadgenerator', 'Load generator',
+	'checkoutservice', 'Checkout',
+	'cartservice', 'Cart',
+	'recommendationservice', 'Recommendations',
+	'emailservice', 'Email',
+	'adservice', 'Ads',
+	'shippingservice', 'Shipping',
+	'quoteservice', 'Quote',
+	'currencyservice', 'Currency',
+	'paymentservice', 'Payment',
+	'frauddetectionservice', 'Fraud detection',
+];
+['otel-demo-traces']
+| lookup kind=leftouter LookupTable on $left.['service.name'] == $right.serviceName
+| project _time, span_id, ['service.name'], humanreadableServiceName
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22let%20LookupTable%3Ddatatable(serviceName%3Astring%2C%20humanreadableServiceName%3Astring)%5B%20'frontend'%2C%20'Frontend'%2C%20'frontendproxy'%2C%20'Frontend%20proxy'%2C%20'flagd'%2C%20'Flagd'%2C%20'productcatalogservice'%2C%20'Product%20catalog'%2C%20'loadgenerator'%2C%20'Load%20generator'%2C%20'checkoutservice'%2C%20'Checkout'%2C%20'cartservice'%2C%20'Cart'%2C%20'recommendationservice'%2C%20'Recommendations'%2C%20'emailservice'%2C%20'Email'%2C%20'adservice'%2C%20'Ads'%2C%20'shippingservice'%2C%20'Shipping'%2C%20'quoteservice'%2C%20'Quote'%2C%20'currencyservice'%2C%20'Currency'%2C%20'paymentservice'%2C%20'Payment'%2C%20'frauddetectionservice'%2C%20'Fraud%20detection'%2C%20%5D%3B%20%5B'otel-demo-traces'%5D%20%7C%20lookup%20kind%3Dleftouter%20LookupTable%20on%20%24left.%5B'service.name'%5D%20%3D%3D%20%24right.serviceName%20%7C%20project%20_time%2C%20span_id%2C%20%5B'service.name'%5D%2C%20humanreadableServiceName%22%7D)
+
+**Output**
+
+| _time            | span_id                 | service.name         | humanreadableServiceName |
+|------------------|-------------------------|----------------------|--------------------------|
+| Feb 27, 12:01:55 | 15bf0a95dfbfcd77  | loadgenerator  | Load generator     |
+| Feb 27, 12:01:55 | 86c27626407be459  | frontendproxy  | Frontend proxy     |
+| Feb 27, 12:01:55 | 89d9b5687056b1cf  | frontendproxy  | Frontend proxy     |
+| Feb 27, 12:01:55 | bbc1bac7ebf6ce8a  | frontend       | Frontend           |
+| Feb 27, 12:01:55 | cd12307e154a4817  | frontend       | Frontend           |
+| Feb 27, 12:01:55 | 21fd89efd3d36b15  | frontend       | Frontend           |
+| Feb 27, 12:01:55 | c6e8db2d149ab273  | frontend       | Frontend           |
+| Feb 27, 12:01:55 | fd569a8fce7a8446  | cartservice    | Cart               |
+| Feb 27, 12:01:55 | ed61fac37e9bf220  | loadgenerator  | Load generator     |
+| Feb 27, 12:01:55 | 83fdf8a30477e726  | frontend       | Frontend           |
+| Feb 27, 12:01:55 | 40d94294da7b04ce  | frontendproxy  | Frontend proxy     |
+
+## List of related operators
+
+- [join](/apl/tabular-operators/join-operator): Performs more flexible join operations, including left, right, and outer joins.
+- [project](/apl/tabular-operators/project-operator): Selects specific columns from a dataset, which can be used to refine the output of a lookup operation.
+- [union](/apl/tabular-operators/union-operator): Combines multiple datasets without requiring a key column.
diff --git a/apl/tabular-operators/overview.mdx b/apl/tabular-operators/overview.mdx
@@ -14,7 +14,9 @@ The table summarizes the tabular operators available in APL.
 | [distinct](/apl/tabular-operators/distinct-operator)               | Returns a dataset with unique values from the specified fields, removing any duplicate entries.                                                            |
 | [extend](/apl/tabular-operators/extend-operator)                   | Returns the original dataset with one or more new fields appended, based on the defined expressions.                                                       |
 | [extend-valid](/apl/tabular-operators/extend-valid-operator)       | Returns a table where the specified fields are extended with new values based on the given expression for valid rows.                                      |
+| [join](/apl/tabular-operators/join-operator)                       | Returns a dataset containing rows from two different tables based on conditions.                                                                  |
 | [limit](/apl/tabular-operators/limit-operator)                     | Returns the top N rows from the input dataset.                                                                                                              |
+| [lookup](/apl/tabular-operators/lookup-operator)                   | Returns a dataset where rows from one dataset are enriched with matching columns from a lookup table based on conditions.                                    |
 | [order](/apl/tabular-operators/order-operator)                     | Returns the input dataset, sorted according to the specified fields and order.                                                                             |
 | [parse](/apl/tabular-operators/parse-operator)                     | Returns the input dataset with new fields added based on the specified parsing pattern.                                                                     |
 | [project](/apl/tabular-operators/project-operator)                 | Returns a dataset containing only the specified fields.                                                                                                    |
diff --git a/docs.json b/docs.json
@@ -404,6 +404,7 @@
                   "apl/tabular-operators/extend-valid-operator",
                   "apl/tabular-operators/join-operator",
                   "apl/tabular-operators/limit-operator",
+                  "apl/tabular-operators/lookup-operator",
                   "apl/tabular-operators/order-operator",
                   "apl/tabular-operators/parse-operator",
                   "apl/tabular-operators/project-operator",
