If you figure out this problem I would be very interested to hear it. I'm not sure why the Splunk employee is directing you to the AD reporting Add-on, but you are very much correct that there is a problem with the TA. This TA will give you UserLoggedIn as well as UserLogonFailed events, but will stop and then only continue to give you the audit data. If I can't find any more information I will have to file an urgent support ticket because I really need this data to continue to flow.
The Splunk Add-on for Microsoft Cloud Services uses the Office 365 Management Activity API to gather Azure AD information. The AAD data available from that API is detailed here, and the logon specific data is here.
You can think of Azure AD as a totally different service than O365 or Azure. Both O365 and Azure use AAD for user identity and access management, but not in the same way. Therefore, the data you get from the O365 management activity API is specific to how O365 uses AAD. If you are looking for sign-in and audit data for AAD like you see in the Azure Portal, it won't be there. Instead, you can use the Microsoft Azure AD Reporting Add-on to get this data.
The logs he is referring to are the AzureAD.Audit from the O365 Management API. I think he correct that the TA is now broken due an issue either from a change on Microsoft's end or a misconfiguration in the TA. The last version of this TA was released to fix this exact issue, but it seems to be broken again.