from my understanding, I believe you have to add search inside the bracket something like this:
index=dnslogs sourcetype=ptr_data
[search your first query | stats count by dest | fields dest | rename dest as dns_name ]
| stats values(query) by dns_name
... View more
i believe you have to add the word search itself inside the bracket so it should look like this
index=dnslogs sourcetype=ptr_data
[search your first query | stats count by dest | fields dest | rename dest as dns_name ]
| stats values(query) by dns_name
... View more