Creating Detectors

New to Opensearch running 1.2 and trying to create a detector. For the feature I want to get a count of the HTTPstatus field in my log and specifically match 403 so that the detector is specifically looking for anomalies of that error code. I don’t know quite how to do this in the “custom expression” area. This does not work so is there documentation or anything that better explains how to use querydsl for detectors?

Here is what I was trying to use

	"errors": {
		"value_count": {
			"field": "HTTPstatus"
	"query": {
		"match_phrase": {
			"HTTPstatus": "403"