Hi together,
i'm not sure whether i am correct in this forum or not 
I am really new to elastic & kibana stuff and cant find a solution to what i'm trying.
in the query section: i'am filtering the eventlog data for the event id and substatus.
The total count value filtered by the query is not accessible in the script below
Post eventlog/_search
{
"query": {
"query_string":{
"query": "event_id:4625 AND @timestamp:>now-24h AND (sub_status:/0..000005[e|E]/ OR sub_status:/0..0000064/ OR sub_status:/0..000006[A|a]/ OR sub_status:/0..000006[D|d]/)"
}
},
"script_fields": {
"hourlyLogonAttemptSnapShot": {
"script": {
"lang": "painless",
"source": """
long lLogonAttempts = ctx.payload.hits.total;
long lTotalAccounts = 40000; /* zweite indexabfrage einbauen*/
long lOrangeThreshold = lTotalAccounts *5;
long lYellowThreshold = lTotalAccounts *4;
long lGreenThreshold = lTotalAccounts * 3;
String sThreshold;
if (lLogonAttempts <= lGreenThreshold) {
sThreshold = "green";
}
else if (lLogonAttempts > lGreenThreshold && lLogonAttempts <= lYellowThreshold) {
sThreshold ="yellow";
}
else if (lLogonAttempts > lYellowThreshold && lLogonAttempts <= lOrangeThreshold){
sThreshold = "orange";
}
else {
sThreshold ="red";
}
return sThreshold;
"""
}
}
}
}
the error i am receiving is as follows:
"shard": 0,
"index": "eventlog-2018.08.05",
"node": "HMx4WRB_Sfqxt4A2R1O45g",
"reason": {
"type": "script_exception",
"reason": "runtime error",
"script_stack": [
"lLogonAttempts = ctx.payload.hits.total;\n long ",
" ^---- HERE"
],
the final target to achiev is to hourly execute the query by a watcher and gather the total count and the color according to the threholds and write them in a new index. but first i need to understand how to have the query result available in the script part. to put the ctx.payload.. in {} or " is not helping ;(
many thanks