I'm querying from Kibana. I'm looking at nginx access logs processed by logstash and stored in elasticsearch. The response code of the log is in the "status" field in my implementation.
I get exactly what I'm looking for with the following queries from the 'discover' page:
status:[200 TO 499]
status:[501 TO 99999999] //so no results found, not surprising, but it executed the query successfully
I get "Discover: An error occurred with your request. Reset your inputs and try again." with the following queries:
status:[499 TO 501]
status:* NOT status:200 NOT status:204 NOT status:301 NOT status:304 NOT status:404
That last one is my favorite, as I can remove or change any of the HTTP response code above and yield expected results. I know I'm generating 500s; and even if I weren't I'd still expect a successful query with 'no results' returned. I have a dev environment very, very similar to prod in which searching for 500s works just fine. My production environment does see a good amount of traffic, ~4 million or more requests per hour. My search is limited to the past 15 minutes, my implementation creates a new index for each day. If it were a scaling issue I would imagine that searching for other response codes would also fail, especially with that chained NOT query.
I would greatly appreciate any insight anyone is able to offer!