So, now, I think you've stumbled into a different issue with your testing. Despite having created a scenario in which you've got a lot of bucket_spans being presented to the ML models, the fact is that 90% of the buckets have no data in them:
So, in your packetbeat index you really don't have that many "normal" DNS requests. Is there a way you can get more "normal background DNS traffic" into your packetbeat index before you try your DNS exfil script?