Sorry no, that's not how it works
will give you...say 1 million events back.
index=cisco_firewall | top error_code limit=5
will give you five events back, each containing aggregate statistics on
error_code, but no information on
src. Thats why this will never work.
index=cisco_firewall | top error_code limit=5 | top src limit=10
If you try;
index=cisco_firewall | top error_code limit=5 | top error_code limit=3
you will get results back, but perhaps not those you were expecting, since there are five unique events in terms of the value you're doing the final
top on. The actual
top count does not come into the equation. My guess is that you'll get the first three in numerical/alphabetical order.
then i dont quite understand the results, because when i click over to the events view it shows all of the returned events from the search, so doesnt the additioanl pipe act upon those results?
actually, index=ciscofirewall | top errorcode limit=5 gives me all of the events that have count(error_code) in top 5 of all error code counts. it tables 5 lines, but the raw event list is huge.
In addition to kristian's answer, if what you want is retrieving the top 5 error codes and then checking which 10 values of src contributed the most to these, you'll likely want to use a subsearch (http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork )
index=cisco_firewall [search index=cisco_firewall | top error_code limit=5 | fields error_code] | top src limit=10