https://community.splunk.com/t5/Splunk-Search/Adding-one-more-field-to-a-sub-search/m-p/18890#M2809 <P>You can try with (instead of top)</P> <PRE><CODE> | stats SRC, duration by SPT | sort - count | head 3 </CODE></PRE> Thu, 26 Sep 2013 14:47:03 GMT emaccaferri 2013-09-26T14:47:03Z https://community.splunk.com/t5/Splunk-Search/Adding-one-more-field-to-a-sub-search/m-p/18889#M2808 <P>Hey guys ,</P> <P>I have created a subsearch for my firewall log files :</P> <P>sourcetype="honetnet" [search sourcetype ="honetnet" | top limit=10 SPT | fields SPT] |top limit=3 SRC BY SPT</P> <P>The results i get is what i wanted , whereby i search for the top 10 SPT(Source ports) and then search for the top 3 SRC(source ip address) for each source port. However , I would like to add one more field(direction) to show the direction of my connection to my search but I am having difficulties. </P> <P>Current output :<BR /> SPT , SRC ,count , percent</P> <P>New output:<BR /> SPT,SRC,<STRONG>direction</STRONG>,count,percent</P> <P>Any ideas? Thanks alot!</P> Tue, 30 Jul 2013 16:01:39 GMT https://community.splunk.com/t5/Splunk-Search/Adding-one-more-field-to-a-sub-search/m-p/18889#M2808 cheukkay 2013-07-30T16:01:39Z https://community.splunk.com/t5/Splunk-Search/Adding-one-more-field-to-a-sub-search/m-p/18890#M2809 <P>You can try with (instead of top)</P> <PRE><CODE> | stats SRC, duration by SPT | sort - count | head 3 </CODE></PRE> Thu, 26 Sep 2013 14:47:03 GMT https://community.splunk.com/t5/Splunk-Search/Adding-one-more-field-to-a-sub-search/m-p/18890#M2809 emaccaferri 2013-09-26T14:47:03Z