...|search NOT [...|rename field AS query]
Does not search the field query, but instead the raw data.
Instead of searching:
NOT(query=value1 OR query=value2 ...)
It searches
NOT(_raw=value1 OR _raw=value2 ...)
If you want to actually search the query field then do this:
...| rename query AS query_name |search NOT [...|rename field AS query_name] | rename query_name AS query
