The JSON that you posted is not valid so Splunk will not recognize it as JSON so first fix that (perhaps it is a cut/paste/post mistake on your part). This parses for me:
| makeresults
| eval _raw = "{
\"Actor\": [{
\"ID\": \"8 f71273c - c502 - 4 a39 - 9607 - 6 b272c9df\",
\"Type\": 0
}, {
\"ID\": \"email@myemail.com\",
\"Type\": 5
}, {
\"ID\": \"1003200038 F18F0E\",
\"Type\": 3
}]
}"
| spath
Then try this:
index=mine Workload=AzureActiveDirectory ResultStatus=Succeeded Operation=UserLoggedIn
| spath
| eval email=mvindex('Actor{}.ID', 1)
| stats count dc(src) AS mycount BY email
| where mycount>=3
| sort 0 - mycount
... View more