you could use eval commands with match or like, but it's slow!
the best way is to insert all your IPs in a lookup or tag them in an eventtype.
Well, you can do something similar to what you wrote:
... NOT (IP=X OR IP=Y)
Splunk also understands CIDR notation in many cases, so if they're all 192.168.3.0/24 addresses, you can do that:
... NOT (IP=192.168.0.0/24)
Or you could put them in a lookup and remove them using a subsearch:
... NOT [ | inputlookup <your lookup> ]
That last will take a bit of work to get going, but may ultimately be the better way to manage this if it's a sizeable list. See perhaps this discussion. There are lots more where that came from and if you want to go down that route ask!
For small list, you can use following subsearch method. Provide space separated list of IP in the subsearch eval command.
index=foo sourcetype=bar [| gentimes start=-1 | eval IP="xxx.xx.xx.xx yyy.yy.yy.yy zzz.zz.zz.zz" | table IP | makemv IP ] ..| rest of the search