To make it more interesting, in the ES correlation search for Excessive DNS Failures it's using the src field to measure hosts that are getting a lot of DNS failures (which seems to be consistent with the infoblox parsing).
In Splunk Stream when collecting DNS there is a conflicting behavior (when it picks up both the QUERY and RESPONSE the client will be the src, when it picks up only a RESPONE the client will be dest.
... View more