When I type the query I'm talking about, this search returns no results

That may be a Good Thing.  If you don't have a high volume of DNS traffic then the alert will return no results.

OTOH, it may be a bad thing.  If your data doesn't contain the fields needed by the query then the alert will return no results regardless of the level of DNS traffic.

To determine which is the case, comment-out the where command and examine the results of the query.  Confirm each field is present and has legitimate values.  Compare the values to those used in the calculation to determine if they indicate a high volume or not.

Consider modifying the calculation to force the alert to trigger.  This will confirm the query is working and that your traffic level is just too low to normally trigger the alert.  Don't forget to restore the original calculation.

How are the numbers in the calculation determined?
For exapmle:  num_data_samples >=3 
                           or
                           avg_bytes_out + 1
                           etc.

Hello I'm also working with this query i found there was an error on line 4 in the end , it shouldn't be :

by src_ip

Should be:

All_Traffic.src_ip

Other thing is that you need to search All time.

In expressions like those, the field name is replaced with the field's value and then the expression is evaluated using common arithmetic rules.

Hello I was also wondering the same as I also want to implement this use case but searching all time consumes a lot of resources and I want to decrease it to a shorter time frame.

"where num_data_samples >=4" 

why do u have 4 in your query? 

"where num_data_samples >=4" 

why do u have 4 in your query?