I was having the same problem.
After some investigation, I found out the problem is not in 'localize' command, but rather in 'map'.
As stated in Documentation , map will iterate for earch event found in the initial search with new time parameters. By default number of subsearch iterations is limited to 10.
So after it reaches 10, i suppose it stops searching for other occurences.
I solved it by adding 'maxsearches=3000' in map command section, right after ending doublequotes:
so in your case:
host=hostname1 OR host=hostname2 NOT source="WinEventLog:Security" searchterm | localize timebefore=30s | map search="search host=hostname1 OR host=hostname2 NOT source=WinEventLog:Security earliest=$starttime$ latest=$endtime$" maxsearches=3000
Documentation also states that "A message is generated if there are more search results than the maximum number that you specify. ".
I guess, they should have added this notification to default use of 'map' without 'maxsearches' option, because result limitation seems weird wihout it.
Hope that helps.
... View more