I'd like to see for each indexer in my environment the top 3 forwarders that have sent data. I've created the following search but the top command isn't giving me the correct results. I've sorted the data after the stats command which allows me to quickly spot check the results. This search does show three forwarders per indexer but for example a check I just ran (by cutting out the top command) lists result numbers 18, 321, and 322 from the results of just the stats command.
index=_internal source=*metrics.log group=tcpin_connections | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | stats sum(kb) as total_kb by host sourceHost | sort -total_kb | top limit=3 total_kb sourceHost by host | sort host -total_kb