By the time you get to the end of your subsearch, all you have is one field called Network_Address that contains a single multivalued entry of all of the dst_ip values that show up in your subsearch results. Your transforming stats command washed all the other fields away. The only way to get src_ip and message at that point is to get them from the main search.

In general the point of a subsearch is generate a search filter phrase to apply to your main search. It doesn't get you any more information than you can get from your main search, so all you'd be able to get there are the dst_ip values:

[search sourcetype=sourcetype2 <search string> | table dst_ip | dedup dst_ip | rename dst_ip as Network_Address]

But that doesn't get you your src_ip and message fields.

It seems like what you really want is to have your main search be from sourcetype2, since that has all of your data except for hostname. Then, you could use either a lookup (ideal) or a join (less ideal) to get what you want. If you had a lookup set up that mapped your dst_ip to your hostname called addrtohostname, it would look something like this:

sourcetype=sourcetype2 <search string> 
| lookup addrtohostname dst_ip OUTPUT hostname 
| ... 
| table timestamp src_ip dst_ip hostname message

Read this: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources?r=sear... to learn how you might generate such a lookup automatically.

Alternatively you could use a join. These tend to be a lot slower, so I wouldn't recommend it, but they do work:

sourcetype=sourcetype2 <search string> 
| join dst_ip [search sourcetype=sourcetype1 <search string> | table Network_Address, hostname | rename Network_Address as dst_ip]
| table timestamp src_ip dst_ip hostname message