Join is not returning the data with subsearch, I tried many options from other answers but nothing working out.
Target is to check how many departments are using latest version of some software compare to all older versions together.
My search query:
index=abc version!="2.0"
| dedup version thumb_print
| stats count(thumb_print) as OLD_RUNS by department
| join department
[ search index=abc version="2.0"
| dedup version thumb_print
| stats count(thumb_print) as NEW_RUNS by department ]
| eval total=OLD_RUNS + NEW_RUNS
| fillnull value=0
| eval perc=((NEW_RUNS/total)*100)
| eval department=substr(department, 1, 50)
| eval perc=round(perc, 2)
| table department OLD_RUNS NEW_RUNS perc
| sort -perc
Overall this search over 1 week time period expected to return more than 100k events.
Joining is very expensive. I would suggest you just use the BY clause in | chart to diferentiate between the two kinds of versions like can be seen in this run-anywhere example; explaination within code:
| makeresults count=10 ```<- start mock data```
| streamstats count
| eval
version=if(count%2=0,"2.0","1.7"),
thumb_print=random()%100,
department=case(
count%3==0,"a",
count%3==1,"b",
count%3==2,"c"
)
```end mock data```
| dedup version thumb_print
```get the count by department and version
use chart to get vars split by version
since version will be variable names,
rename it to suit your variable names```
| eval version=if(version=="2.0","NEW_RUNS","OLD_RUNS")
| chart
count(thumb_print) AS runs
BY
department
version
```from here its basically your code```
| eval
total=OLD_RUNS+NEW_RUNS,
perc=round(((NEW_RUNS/total)*100),2),
department=substr(department,1,50)
| fields department OLD_RUNS NEW_RUNS perc
| table department OLD_RUNS NEW_RUNS perc
| sort -perc