I'm sending data from Azure SQL via event hub.   Been using the MS add on for splunk, which as been working pretty well, but as its EOL, trying the Splunk Add-on for Microsoft Cloud Services.   First thing i noticed is how different the logs are stored.

MS Add-on

json is clear.

properties.server_principal_name,  properties.statement

Splunk add on for MS cloud services:

2 -4 records for each event.   Takes 20=30 seconds to render in a search (index=sql).

records{}.properties.server_principal_name, records{}.properties.statement.  each one will have 2-4 values in it (SQLUSER, WEBUSER, OPSUSER).   Strange thing is there will be 2-4 statments or other fields (records{}.properties.succeeded (true,true, true,true).   wHy 3 users and 4 success?

I'm trying to query this thing to get certain traffic such as records{}.properties.server_principal_name="webuser" | table records{}.properties.statement and all records returned but the statements returned are multiple, or simply not statements from WEBUSER.  

My source is correct for audit logs mcsc:azure:eventhub

Is this the way is supposed to act and if so, can i get any pointers on how to spath query this thing working given if i wanted only statements from WEBUSER and that could be the 0,1,2,3 element in a nest on each event?