Opensearch Anomaly Detector Custom Expressions

Question

I would like to write a Custom expression in Opensearch Dashboards, but I can't seem to get it right.

At the moment, I have:

{
    "http-reponse-code": {
        "value_count": {
            "field": "response"
        }
    }
}

It will count all the messages in the index, that have a http-response-code.

Now, I would like to limit those to only count responses, that are in a certain range ("400" to "499"). I can't seem to get that right.

Thought about something like this:

{
  "query": { 
    "value_count": { 
      "filter": [ 
        { "term":  { "field": "response"}},
        { "range": { "response": { "gte": 400, "lte": 499 }}}
      ]
    }
  }
}

When I click "Preview", Opensearch Dashboards tells me:

 query error: [1:1209] [value_count] unknown field [filter]

What am I getting wrong?

Is there any documentation for the expressions, I can use in Anomaly Detection?

Any advice highly appreciated!