ESQL: double LOOKUP JOIN/ENRICH on the same policy + STATS VALUES returns wrong values #132634
Description
Bug found on current main, not yet confirmed whether it was present in earlier versions.
Local reproducer:
curl -u elastic:password -H "Content-Type: application/json" "127.0.0.1:9200/enrich_idx/_doc" -XPOST -d '{
"x":1, "y":11
}'
curl -u elastic:password -H "Content-Type: application/json" "127.0.0.1:9200/enrich_idx/_doc" -XPOST -d '{
"x":2, "y":22
}'
curl -u elastic:password -H "Content-Type: application/json" "127.0.0.1:9200/_enrich/policy/my-policy" -XPUT -d'
{
"match": {
"indices": "enrich_idx",
"match_field": "x",
"enrich_fields": ["y"]
}
}'
curl -u elastic-admin:elastic-password -H "Content-Type: application/json" "127.0.0.1:9200/_enrich/policy/my-policy/_execute?wait_for_completion=true" -XPOST
curl -u elastic:password -H "Content-Type: application/json" "127.0.0.1:9200/_query?format=txt" -d '
{
"query": "row a = 1, b = 2 | enrich my-policy on a with ay = y | enrich my-policy on b with by = y | stats count(*), avalues = values(ay), bvalues = values(`by`)"
}'
count(*) | avalues | bvalues
---------------+---------------+---------------
1 |11 |11
The last bvalues entry should be 22, not 11 - bvalues somehow uses the value from the first ENRICH, not from the second ENRICH, contrary to how bvalues is defined.
Without the STATS command, the query provides correct results. Also, first plugging the enrich fields into another expression and using that in VALUES seems to work correctly:
curl -u elastic:password -H "Content-Type: application/json" "127.0.0.1:9200/_query?format=txt" -d '
{
"query": "row a = 1, b = 2 | enrich my-policy on a with ay = y | enrich my-policy on b with by = y | eval ay = ay::keyword, `by` = `by`::keyword | stats count(*), avalues = values(ay), bvalues = values(`by`)"
}'
count(*) | avalues | bvalues
---------------+---------------+---------------
1 |11 |22