Fundamentally, I agree - the data is there, and you should be able to reach it. The reality is with search that the more complex your search, the larger the results, and the farther back you want to go, it is going to take longer. :/
Theoretically, searching anything you see in the refine fields should be fast to pull back numbers, regardless of the time frame. There's also a relatively short period of time that's resident in "warm" storage that will be faster to pull back the actual result details, so searching this week (today/yesterday) will definitely be faster than last month. (There are some dials they can turn on the back end to tweak that, but the cost is always disk space; the warm storage isn't compressed so it's pretty fat.)
I think there's some voodoo in how searches get optimized, too, that I used to understand really well but as LEM evolved and the storage architecture changed, have started to get much more nuanced. In your case, I wonder if something like "IP Address = <list of IPs>" AND AlertName = UserLogon might be faster than UserLogon.SourceMachine = <list of IPs> - at least to fetch the initial result set, though I think both will suffer from the time to pull back the details. It would also be nice if LEM could do partial results better, so even if the search failed you could get to the results it did return.
Do you see the histogram at the top get drawn with all the necessary data before your search times out?
Have you increased your timeout beyond the default 5 minutes as well? (Yes, 5 minutes is still a long time.)