Apache 404 response code in filebeat

I am using filebeat with ES as output.
I have specified:
input_type: log
document_type: apache

  • /var/log/httpd/*_log
    in /etc/filebeat/filebeat.yml and am able to successfully see results in Kibana. I am however playing around with "Watcher" and trying to create a watch based on an http return code of 404, I see no field in my Kibana filebeat results that corresponds to and only to "404", something like "response", I am afraid I am missing something because filebeat and ELK are BIG products, and help would be appreciated.

Given you are processing the logs directly to ES it won't be separating the events and creating separate fields.
You will need so push them through Logstash instead.