Trying to figure out how to get a transaction search to show results where there are 5 or more failed logons (4625) and then a successful logon (4624). Have a transaction search that works, but all of the results are one failed logon followed by a successful logon. These are the typical fat-fingered the first time and then successfully logon scenarios. Want to see where there are more failed logon attempts and then the successful logon. Below is the base transaction search. Looked at the post ->
https colon slash slash answers dot splunk dot com/answers/351046/how-do-i-edit-my-transaction-search-to-find-over-3 dot html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev , but that seems to only work if one EventCode is in the search. Thank you in advance for your assistance.

index=wineventlog EventCode=4625 OR EventCode=4624 Account_Name!="*$" 
| transaction user, Workstation_Name maxspan=10m startswith=(action="failure") endswith=(action="success")