No. Don't use subsearches for stuff like this. Remember that subsearches have limit for returned number of results (50k by default) and limited execution time (60 seconds? I don't remember). And what's most annoying about them is that they fail silently if hit any of those limits. So inputlookup with a predictable number of results is a relatively good candidate for a subsearch. A complicated search with long execution time and many returned results is not.

Anyway, your subsearch has one mistake (you do stats count and then want to table a non-existent field; I assume it's a mistake in re-typing the search here) and one very ugly condition - the "NOT *%*" part - it makes Splunk have to go and read all your events from the last 90 days to check whether they match or not. It can't use its indexes. So the search will most definitely time out and - as I wrote above - fail silently and produce incomplete results if any at all.

Below works slowly. It results into a correct count of 16300 records approx.:

earliest=-1d index=log-13120-nonprod-c laas_appId=qbmp.prediction*  "jobPredictionAnalysis" prediction lastEndDelta

| join

[ | inputlookup freq_used_jobs_bmp_3months.csv ]

| stats count, values(freq_count) by jobname

But can I do a reverse thing like this?:

My logic is only the inputlookup list of jobs will be considered and then other columns will be matched from the index, laas_appId. Will this be optimized?

Rather than iterating through millions of jobnames from the index, how to have only those 16.5 thousands jobnames iterated ?

inputlookup freq_used_jobs_bmp_3months.csv

| join

[ search earliest=-1d index=log-13120-nonprod-c laas_appId=qbmp.prediction*  "jobPredictionAnalysis" prediction lastEndDelta ]

| stats count, values(freq_count) by jobname

What is the workaround ?

To put the problem statement generically:

I want splunk query, data analysis to run on a smaller list of jobs (around 20 thousand in number) . I have that list as a csv and created a lookup.

I now want SPLs to read  this pool of jobs ONLY  for analysis.

| lookup freq_used_jobs_bmp_3months.csv jobname output freq_count ... this does NOT work!

Only the below SPL works ! 

index=log-13120-nonprod-c laas_appId=qbmp.prediction* sourcetype="qbmp.prediction_analyzer:app" "jobPredictionAnalysis" "prediction" "lastEndDelta"

| eval accuracy_category = case( abs(lastEndDelta) <= 600, 10, (abs(lastEndDelta) > 600 and abs(lastEndDelta) <= 1200), 20, (abs(lastEndDelta) > 1200 and abs(lastEndDelta) <= 1800), 30, 1==1,40)
| eval timeDistance_category = case(timeDistance <= 3600, 1, (timeDistance>3600 and timeDistance<=7200),2,(timeDistance>7200 and timeDistance<=10800),3,1==1,4)
| where instance like "P%" and timeDistance_category<=3
| join

[ inputlookup freq_used_jobs_bmp_3months.csv ]

| chart count(predicted_end_time) by timeDistance_category,accuracy_category

And there has to be a join.

Without a join how will my large number of events (in the index) match like an  equijoin with a list of 17K jobs in the  lookup file ?

More generically, 
(lookup file that has one column of 2000 jobname)
(join this to a search such that the execution is for the 2000 jobs above and not the millions of jobs and other fields on index)

If you want to use a lookup to generate a set of conditions, you can use a subsearch (keep in mind all the restrictions regarding subsearches).

So if you have a lookup jobs that has a field called ID and want only to find events that have the field jobid corresponding to that field, you can construct your search like this:

<your_base_search> [ | inputlookup jobs | table ID | rename ID as jobid ]

But this works relatively well for a "reasonable" number of entries in the lookup. I have no idea how it (in)effectively it will work with several thousand conditions.