Office365 logs are sending duplicate events. So the generic usecase doesnt really work

[10 label=User label=Login label=Fail having same user] as s1 followed by label=User label=Login label=Successful] as s2 on s1.user = s2.user

>col_type=office365 label=User label=Login label=Fail | chart distinct_count(id) as CNT by user | filter CNT>2] as s1 followed by ycol_type=office365 label=User label=Login label=Successful] as s2 on s1.user = s2.user | chart count() by s2.log_ts,s2.user
 

Here "id" represents request id in azure AD, which is unique and thats what i want.

1. Even if there isn't any output from s1, still I get some result from total query
2. Also, i dont exactly get the followed by event, i get all success events in the timeframe