CloudWatch Logs now supports a jsonParse function allowing you to extract and parse the json string into a map/list, and then access attributes. For example, you can do

parse @message /Request details: (?<json_string>\{.*\})/
| fields jsonparse(json_string) as json_message
| stats count_distinct(json_message.`user.id`)

Refer to: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax-operations-functions.html#CWL_QuerySyntax-structure-types

example queries: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax-examples.html#CWL_QuerySyntax-examples-structure