[DOCS] Update esql-lookup-join.md (#127306)

- I trimmed the KEEP query in my final iteration in #127215 but neglected to update the query itself, only the response. This fixes that so the query matches the response.

- 🚘 I also updated the table response to match other ESQL response tables

Author: leemthompo

docs/reference/query-languages/esql/esql-lookup-join.md

@@ -122,21 +122,19 @@ FROM firewall_logs # The source index
 | LOOKUP JOIN threat_list ON source.ip # The lookup index and join field
 | WHERE threat_level IS NOT NULL # Filter for rows non-null threat levels
 | SORT timestamp # LOOKUP JOIN does not guarantee output order, so you must explicitly sort the results if needed
-| KEEP timestamp, source.ip, destination.ip, action, threat_level, threat_type # Keep only relevant fields
+| KEEP source.ip, action, threat_type, threat_level # Keep only relevant fields
 | LIMIT 10 # Limit the output to 10 rows
 ```
 
 ### Response
 
 A successful query will output a table. In this example, you can see that the `source.ip` field from the `firewall_logs` index is matched with the `source.ip` field in the `threat_list` index, and the corresponding `threat_level` and `threat_type` fields are added to the output.
 
-```
-   source.ip   |    action     |  threat_type  | threat_level  
----------------+---------------+---------------+---------------
-203.0.113.5    |allow          |C2_SERVER      |high           
-198.51.100.2   |block          |SCANNER        |medium         
-203.0.113.5    |allow          |C2_SERVER      |high        
-```
+|source.ip|action|threat_type|threat_level|
+|---|---|---|---|
+|203.0.113.5|allow|C2_SERVER|high|
+|198.51.100.2|block|SCANNER|medium|
+|203.0.113.5|allow|C2_SERVER|high|
 
 ### Additional examples