The following search looks for events that are purchase actions and appends the results of the top IP addresses by category ID to the current results.

The top command is not supported in SPL2. The subsearch in the append command uses embedded SPL to include top command in the search.

from <dataset> 
| where action="purchase"
| sort clientip 
| stats dc(clientip) BY categoryId
| append [search action="purchase" | `top 1 clientip BY categoryId`]

Embedded SPL is a shortcut associated with the spl1 command.

See also