A nice DNS search for Splunk

gistfile1.txt

| tstats `summariesonly` count from datamodel=Network_Resolution.DNS where  DNS.record_type="A*" NOT DNS.query="SomeHostNames*" NOT DNS.query="*.arpa" NOT DNS.query="_ldap*" NOT DNS.query="_gc*" NOT DNS.query="_kerberos*" by DNS.query DNS.src
| rename DNS.query as query DNS.src as src 
| eval query_punct=query 
| rex mode=sed field=query_punct "s/\w+//g"
| search NOT query_punct="--.-.----" 
|   `ut_shannon(query)` 
| stats sum(ut_shannon) as ut_shannon_sum  values(query) as query by src 
| where ut_shannon_sum<1000 
| sort - ut_shannon_sum

Requires URL Toolbox - https://splunkbase.splunk.com/app/2734/ and Network Resolution Datamodel

Averaging the ut_shannon score is also interesting.
If you have ES, do a lookup:
| lookup asset_lookup_by_str ip as src OUTPUT dns nt_host

index=dns NOT reply_code=NoError NOT query="somehosts*" NOT query=*.arpa NOT record_type=nimloc dest_ip!="224.0.0.252" NOT protocol_stack=ip:tcp:dns NOT query=_* | stats count values(query) as query values(reply_code) as reply_code by src_ip protocol_stack message_type dest_ip dest_port record_type | eval ip=lower(dest_ip)