Hello,
I don’t think it’s possible to to filter specific sub-fields of dns (or other EVE fields) unless they’re listed in the suricata.yaml file (if needed, a simple example on how to do that can be seen here: Logging different kind of logs in different EVE files - #2 by syoc)
An alternative that comes to mind would be to filter out certain events to a different eve file. But I’m not sure this would be useful in your case.
I’m not aware of whether how you’re forwarding Suricata logs to Splunk is the best alternative or not (sorry about that bit!)