We've been trying to set up the CIM datamodels in our environment.   One that seems particularly useful is Network_Resolution (DNS).  Network Resolution has just one dataset for DNS and the events look like they intend to capture request and response data

• answer
• dest
• message_type
• query
• query_type
• reply code  
• src

of these some are clearly related to the request and some are clearly related to an answer.  

Is the idea that the datamodel should be populated with just query data (no answer) for message type=query? and just response data (no query/query type) for message_type=response?

Or is there some effort that should be made to correlate the request and responses? so that each record contains everything where possible?

We did set up Splunk Stream to handle DNS.  Splunk stream tries to pair up request and response but seems to miss some pairings: I find that about 30% of DNS events from Splunk Stream have both request and response, ~40% have only query, and ~30% have only response

so it would be possible to add 30% of DNS events to Network Resolution with both query and response, but then the rest would have to be just query or just response events -- missing the other fields.  Or I could just split out the query and response from the joint records. 

Does anyone who uses Network Resolution (especially in ES) have a recommendation on how to do this?