According to Splunk documentation for the top command, it is acceptable to have multiple fields (separated by commas) as arguments. For example:
search something | top host_ip, username
But my brain is having a hard time understanding what that actually does. To me, "top" implies that you are trying to sort the search results by the frequency of each unique value in one field and displays on the top X most frequently occurring values of that field. When you feed multiple field names to the top command, what results are returned exactly?
... View more