Can someone please explain the purpose of each line
match": {
"event_data.SubjectUserName": "LOCAL SERVICE"
}
The first line instructs Elasticsearch to execute a "match" query. There are many different queries, and match is one of them. You can find information about the match query here: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-match-query.html
The match query can be used to search for one or more terms in a specific field in your documents. In this case, Elasticsearch will search for the terms "LOCAL" or "SERVICE" in the field "event_data.SubjectUserName" of your documents.
All documents that contain either (or both) of these terms will be a match. Elasticsearch will score the documents based on how well these documents match your query and by default returns you the top 10 documents with the highest score.