I'd say that it's a bad practice to just keep the message field as is without any parsing prior to indexing (using Grok for example).
Anyway, I guess this is not working because of the way your text as been analyzed.
Could you provide a full recreation script as described in About the Elasticsearch category. It will help to better understand what you are doing. Please, try to keep the example as simple as possible.