Help needed for scripting for runtime fields

It is not a nested field. The other information is just information about the host (i.e. "host.name", "host.os.name", "host.ip", etc.)

But I believe this is what I'm looking for:

This guy was trying to do the same as myself, but I'm just trying to pull a different message from the logs. I just don't know how to write the code.

So far I went into logs-* and added a new field (system.auth.login.events). Now I just need to set the correct value for the script.

Again, thank you for taking your time to help me.