I am not sure of where you are getiting your data... But maybe you could modify this snippet..
index=wineventlog sourcetype=WinEventLog:Security (EventCode="4624" OR EventCode="4625") user!="*$"
| eval count_failure = if(action=="failure", 1, 0), count_success = if(action=="success", 1, 0)
| eval time_failure = if(action=="failure", _time, "-"), time_success = if(action=="success", _time, "-")
| stats min(time_failure) as first_fail, sum(count_failure) as count_failure, min(time_success) as first_success by user
| eval time_difference = first_success - first_fail
| where count_failure > 0
| search time_difference>400
| eval first_fail=strftime(first_fail,"%Y-%m-%d | %H:%M:%S"), first_success=strftime(first_success,"%Y-%m-%d | %H:%M:%S")
... View more