There are at least two approaches you can use
If your sourcetype’s JSON is not being parsed properly by Splunk, this rex will pull it for you:
| rex field=_raw "userid=(?<userid>\w+)"
If it is being parsed properly, then you can probably get it by a variation on the theme of:
| rename applicationTags{}.userid as userid
To get a full listing of the fields Splunk knows about for this sourcetype, use fieldsummary. Eg:
index=ndx sourcetype=srctp
| fieldsummary
| fields field values
from User warren – Stack Overflow https://stackoverflow.com/questions/73202763/how-to-get-particular-field-in-splunk-search-for-a-nested-json-event/73207521#73207521
via IFTTT