Hey Brian,
There are a few different ways to skin this cat.
You've gone in the Stream direction, another way to go is you could turn on "query logging" on your DNS servers and use a Splunk Universal-Forwarder to collect the query-logs, with the appropriate TA, and ES will see them (assuming the TA you use is CIM-compliant, which most are).
If you cannot collect DNS query-logs (say, in the case of a DNS appliance) then Stream would be your next option.
You essentially need to bring all those logs into Splunk, wether via a UF or Splunk Stream, then ES can monitor it. Additionally you can do your own analytics as well (if you wish to).
If you decide to go with Stream, naturally it will need to tap (sniff) the right part of your network, and you'll need to create a new DNS Stream (Configure Streams->New Stream->DNS) (apologies dont have a Stream installation handy, but hopefully you get the idea..), give it a name, and tick the fields you want Stream to collect for this particular stream. Stuff like src_ip, host_addr, query, message_type etc.
By ticking those fields, your really saying which parts of a DNS packet you want Stream to log (the query, the source IP, the TTL, etc..)
Once that stuff is indexed in your Splunk, search for 'index=* tag=dns' if it's CIM-compliant, you should see results from this search. You can substitute the index-name of your Stream DNS logs.
Here's a useful use-case from the ES docs, about how to use DNS to identify "patient-zero" for a malware infection.
http://docs.splunk.com/Documentation/ES/4.2.0/Usecases/PatientZero
Hope it helps 🙂
... View more