Elastalert: [_na] query malformed, no field after start_object

when trying to test an example rule with elastalert-test-rule example_rules/example_frequency.yaml, i get the following failure

Successfully loaded Example rule

INFO:urllib3.connectionpool:Starting new HTTP connection (1): elasticsearch-host
WARNING:elasticsearch:GET /logstash-*/_search?ignore_unavailable=true&size=1 [status:400 request:0.172s]
Error running your filter:
RequestError(400, {u'failed_shards': [{u'node': u'Ope2KsxvS_Saqyb-ai1InA', u'index': u'logstash-2015.12.18', u'reason': {u'index': u'logstash-2015.12.18', u'
reason': u'[_na] query malformed, no field after start_object', u'type': u'query_parsing_exception', u'line': 1, u'col': 32}, u'shard': 0}, {u'node': u'mo8mL
x-TQbGLyTHLzFWCyg', u'index': u'logstash-2015.12.19', u'reason': {u'index': u'logstash-2015.12.19', u'reason': u'[_na] query malformed, no field after start_
object', u'type': u'query_parsing_exception', u'line': 1, u'col': 32}, u'shard': 0}, {u'node': u'mo8mLx-TQbGLyTHLzFWCyg', u'index': u'logstash-2015.12.20', u
'reason': {u'index': u'logstash-2015.12.20', u'reason': u'[_na] query malformed, no field after start_object', u'type': u'query_parsing_exception', u'line': 
1, u'col': 32}, u'shard': 0}, {u'node': u'nAc7npDyTDWRJQYGjzwcqw', u'index': u'logstash-2015.12.21', u'reason': {u'index': u'logstash-2015.12.21', u'reason':
 u'[_na] query malformed, no field after start_object', u'type': u'query_parsing_exception', u'line': 1, u'col': 32}, u'shard': 0}, {u'node': u'nAc7npDyTDWRJ
QYGjzwcqw', u'index': u'logstash-2015.12.22', u'reason': {u'index': u'logstash-2015.12.22', u'reason': u'[_na] query malformed, no field after start_object',
 u'type': u'query_parsing_exception', u'line': 1, u'col': 32}, u'shard': 0}, {u'node': u'mo8mLx-TQbGLyTHLzFWCyg', u'index': u'logstash-2015.12.23', u'reason'
: {u'index': u'logstash-2015.12.23', u'reason': u'[_na] query malformed, no field after start_object', u'type': u'query_parsing_exception', u'line': 1, u'col
': 32}, u'shard': 0}, {u'node': u'nAc7npDyTDWRJQYGjzwcqw', u'index': u'logstash-2015.12.24', u'reason': {u'index': u'logstash-2015.12.24', u'reason': u'[_na]
 query malformed, no field after start_object', u'type': u'query_parsing_exception', u'line': 1, u'col': 32}, u'shard': 0}, {u'node': u'mo8mLx-TQbGLyTHLzFWCy
g', u'index': u'logstash-2015.12.25', u'reason': {u'index': u'logstash-2015.12.25', u'reason': u'[_na] query malformed, no field after start_object', u'type'
: u'que

The rule i supplied is this (i just modified the existing example).

 Alert when the rate of events exceeds a threshold

# (Optional)
# Elasticsearch host
es_host: elasticsearch-host

# (Optional)
# Elasticsearch port
es_port: 9200

# (OptionaL) Connect with SSL to elasticsearch
#use_ssl: True

# (Optional) basic-auth username and password for elasticsearch
#es_username: someusername
#es_password: somepassword

# (Required)
# Rule name, must be unique
name: Example rule

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency

# (Required)
# Index to search, wildcard supported
index: logstash-*

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 50

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
  hours: 4

# (Required)
# A list of elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- term:
  host: "localhost"

# (Required)
# The alert is use when a match is found
alert:
# - "email"
- slack

slack_webhook_url: https://hooks.slack.com/services/secret/secret


# (required, email specific)
# a list of email addresses to send alerts to
# email:
# - "[email protected]"

Im using elasticsearch 2.1.1.