Hi,   Join is not returning the data with subsearch, I tried many options from other answers but nothing working out. Target is to check how many departments are using latest version of some software compare to all older versions together.    My search query index=abc version!="2.0" | dedup version thumb_print | stats count(thumb_print) as OLD_RUNS by department | join department [search index=abc version="2.0" | dedup version thumb_print | stats count(thumb_print) as NEW_RUNS by department ] | eval total=OLD_RUNS + NEW_RUNS| fillnull value=0 | eval perc=((NEW_RUNS/total)*100) | eval department=substr(department, 1, 50) | eval perc=round(perc, 2) | table department OLD_RUNS NEW_RUNS perc | sort -perc Overall this search over 1 week time period expected to return more than 100k events.  ... View more