Empty string such as `""` is considered as field exists. To identify if the field is empty as per your definition you can use the query as below:
{ "query": { "bool": { "should": [ { "bool": { "must_not": [ { "exists": { "field": "someField" } } ] } }, { "term": { "someField": "" } } ] } } }
Replace `someField` in above query by the name of the actual field in your index.

You're almost there. Try like this:
GET /filebeat-2017.07.25/_search { "query": { "bool" : { "filter" : [ { "range" : { "@timestamp" : { "gte" : "now-5m", "lte" : "now-1m" } } }, { "exists": { "field": "error_data" } } ] } } }
i.e. the `bool/filter` clause must be an array if you have several clauses to put in it: