The problem I think that in your case, for each extension, the subtraction is done over 404 responses of every extension and not only of the one coming from the split of the first query.
Actually, with your schema, I would like something like the following:
.es(metric=sum:bytes, q='response:200 AND extension.raw:jpg').subtract(.es(metric=sum:bytes, q='response:404 AND extension.raw:jpg'),
.es(metric=sum:bytes, q='response:200 AND extension.raw:css').subtract(.es(metric=sum:bytes, q='response:404 AND extension.raw:css'),
.es(metric=sum:bytes, q='response:200 AND extension.raw:png').subtract(.es(metric=sum:bytes, q='response:404 AND extension.raw:png'),
...
And I think that your queries does the following:
.es(metric=sum:bytes, q='response:200 AND extension.raw:jpg').subtract(.es(metric=sum:bytes, q=response:404),
.es(metric=sum:bytes, q='response:200 AND extension.raw:css').subtract(.es(metric=sum:bytes, q=response:404),
.es(metric=sum:bytes, q='response:200 AND extension.raw:png').subtract(.es(metric=sum:bytes, q=response:404),
...
Am I wrong?