This doesn't seem to work for 2012 DNS Analytical logs. I have the following monitoring stanza but it's throwing an error.
'WinEventLogChannel::subscribeToEvtChannel: Could not subscribe to Windows Event Log channel ‘microsoft-windows-dnsserver/analytical errorCode=15009’
Did you find a solution for reading the Microsoft-Windows-DNSServer/Analytical logs? It's my understanding from this article that the analytical log can't be read "online" if circular logging is enabled.
Error when enabling Analytic or Debug event log: "The requested operation cannot be performed over a...
One solution might be to switch the event log to manual clearing and configure the Splunk add-on to do that log clearing. I'm not sure if that's a feature of the add-on.