I had a similar issue. The results of the above query only returned the "communicate" and "network" tags. It appears that the default/eventtypes.conf is ignoring "stream:Splunk_*" which excludes "stream:Splunk_DNS*" events: [stream_dns]
search = sourcetype=stream:dns NOT source=stream:Splunk_* I added the following to local/eventtypes.conf and it resolved the issue: [stream_dns]
search = sourcetype=stream:dns Now the dns events return all 4 tags: communicate, dns, network, resolution
... View more