Does this give you the results that you need?
index=SEP Sig_String="Attack: Bad Stuff" Remote_IP=10.* earliest=-2d@d latest=@d | bin _time span=1d | stats count by Remote_IP, _time | stats count, latest(_time) as recent by Remote_IP | eval yesterday=relative_time(now(),"-1d@d") | where count=1 AND recent>=yesterday
What this does is looks at the last 2 days, and then counts each IP by day (the count here isn't important, but its more efficient than dedup), then we count those just by IP. This will give us a count field that will be a "1" if that IP only shows up on one of days, or a "2" if that IP shows up both days, and a recent field that will have a timestamp indicating which day was the most recent day. Then we create a field called "yesterday" that has the timestamp of midnight yesterday. This will allow us to filter our results to only show IP's that sent logs yesterday, but not the day before.
... View more