Yes, there is that option. The AND operator is implicit between search terms but can also be explicitly specified. The OR operator between search terms obviously removes the implicit AND. Additionally there is the NOT operator. So, you could do something like
xxx.xxx.xxx.xxx sourcetype="dns" NOT (query="*.yyy.com" OR query="*.zzz.com")
That depends on what you consider "unique" - you say you want the time info in your results, but as long as you start removing events you will obviously also remove their corresponding time info. You could run dedup with the query field as an argument to only get one event per query. I think it would be interesting to get a count of queries towards each domain from each IP address and at what times they occurred, by doing something like this (assuming the IP address is extracted to a field called ip_address 😞
... | stats values(eval(strftime(_time,"%+"))) as querytime,count by ip_address,query
... View more