Subquery with elasticsearch

GET INDEX/_search?pretty
{
"query": {
"bool": {
"must_not": [
{
"match": {
"system.process.name": "WINWORD.EXE"
}
}
],
"filter": {
"range": {
"@timestamp": {
"gte": "now-15m",
"lte": "now"
}
}
}
}
},
"size": 10000,
"_source": [
"beat.hostname"
]
}

Give this a try