It is not a nested field. The other information is just information about the host (i.e. "host.name", "host.os.name", "host.ip", etc.)
But I believe this is what I'm looking for:
This guy was trying to do the same as myself, but I'm just trying to pull a different message from the logs. I just don't know how to write the code.
So far I went into logs-* and added a new field (system.auth.login.events). Now I just need to set the correct value for the script.
Again, thank you for taking your time to help me.