distinct_count and followed by Issue while fetching Azure AD sign in logs

Office365 logs are sending duplicate events. So the generic usecase doesnt really work

[10 label=User label=Login label=Fail having same user] as s1 followed by [label=User label=Login label=Successful] as s2 on s1.user = s2.user

[col_type=office365 label=User label=Login label=Fail | chart distinct_count(id) as CNT by user | filter CNT>2] as s1 followed by [col_type=office365 label=User label=Login label=Successful] as s2 on s1.user = s2.user | chart count() by s2.log_ts,s2.user

Here "id" represents request id in azure AD, which is unique and thats what i want.

1. Even if there isn't any output from s1, still I get some result from total query
2. Also, i dont exactly get the followed by event, i get all success events in the timeframe