I think the misunderstanding here is that you do not search for rare by related.user in the actual Elasticsearch query language, you accomplish that bit using an ML job (see rarity analysis article)
So, you need to:
- Create a filtered search to come up with a version of the data set that you want - it seems that you've done this part. Save this search as a "Saved Search"
- Use that "Saved Search" as the basis of your ML job
- Configure your ML job to do rarity analysis using the appropriate fields in the data.
I hope this helps