Sure,
The structure of the "message" is:
{
"AuthenticationSuccess": {
"status": 200,
"user_id": "test_user",
"message": "OK",
"source": "portal"
}
}
What I need to do is acces the user_id field from the following alert section
but even using dot(.) I cannot access it.
What I am trying to achieve is raise an alert if a user tries to login too many times in a certain time frame (so I am trying to group by user and then count and raise the alert)