The append command adds its results to the bottom of the current result set.  If the main search returns results "foo" and "bar" and the append returns "baz" and "bat" then the final resullt will be

foo
bar
baz
bat

No relationship is made among any of the results.  You need to do that yourself.  Usually, that's done with the stats command using any field(s) common to all results.

<<main search>>
| append [ <<some other search>> ]
| stats values(*) as * by blah

I am confused.  You already performed

 | stats avg(d_duration) as avg_d_duration, avg(a_duration) as avg_a_duration by def.build, def.hardware

After this, abc.duration no longer exist in data stream, only avg_a_duration.  But then, you have this eval

| eval avg_a_duration=abc.duration  ```<= this is a limit line I want to implement based on the next search ```

This wipes avg_a_duration out with null value because abc.duration no longer exists.

Of course, even if you do not have that eval, the first stats will not give you value for avg_a_duration, either, because the abc.duration only exists with abc.build and abc.hardware.

The best way to start is to describe your use case.  What is the result that you expect from the illustrated data?  What is the logic to "cross" events?  Is there any key to correlate the two builds? (I don't see any in your illustrated data.)  What is the purpose of that last search for abc attributes after you stats over def builds?

If there is no correlation, the best you can do is your search 1 with append.

Hello @yuanliu ,

Thank you for getting back.  I am looking to plot a chart, where the x,y values are the build and duration values (respectively),  based on the latest sw version.   I want to add a limit-line (base-line) captured from the previous sw version, and super impose it on the current chart.  

Since the build numbers will be different from the current and previous sw version, I want to capture a single data point  from previous sw version, and use that as the base-line point.  

How would I go about in getting this in the Splunk search?

TIA

So, to clarify:

1. You want to chart by sw, not hardware.  If you stats by hardware, you will never get the chart by sw.
2. The designation of abc and def is just weird because they are just distractions.  Do the top node really change from event to event in real data?

Assuming that the top node does change from event to event, you'll have to find some way to get rid of because they do not factor into your desired result. (Identical top node will make the search infinitely simpler.)  The function to call is coalesce; but you will need some way to enumerate the top nodes.  In the following, I will use foreach command to iterate.  This is less obvious what it does, so I also put a manual enumeration equivalent in comments.

| foreach *.*
    [ | eval <<MATCHSEG2>> = mvappend(<<MATCHSEG2>>, '<<MATCHSEG1>>.<<MATCHSEG2>>')]
``` the above is equivalent to the following
| eval build = coalesce('abc.build', 'def.build', 'ghi.build')
| eval duration = coalesce('abc.duration', 'def.duration', 'ghi.duration')
| eval sw = coalesce('abc.sw', 'def.sw', 'ghi.sw')```

The next question is: Do you always know the latest sw version and the one before that?  It would be simpler if you do.  Suppose the latest version is gen2 as in illustrated data, and second to last is gen1.

| foreach *.*
    [ | eval <<MATCHSEG2>> = mvappend(<<MATCHSEG2>>, '<<MATCHSEG1>>.<<MATCHSEG2>>')]
| where sw == "gen2"
| chart values(duration) over build

This will give you the chart for gen2.  Then, to overlay a flat line for gen1, you calculate its average, then spread it over gen2 builds. (I believe that average is better than a single data point.)  Like this.

| foreach *.*
    [ | eval <<MATCHSEG2>> = mvappend(<<MATCHSEG2>>, '<<MATCHSEG1>>.<<MATCHSEG2>>')]
| eventstats avg(duration) as avg_duration by sw
| eventstats values(eval(if(sw == "gen1", avg_duration, null()))) as previous_avg
| where sw == "gen2"
| chart values(duration) as duration values(previous_avg) as baseline by build

If you don't know the latest version, you can calculate it based on data.  It is just more calculations.