If I understand you correctly, it sounds like you likely want a pair of searches – the first will run against the last 2 weeks, and dump the results into a lookup table
The second will open the lookup table, grab only data from the last 24h, and send those
Here's a very rough sample:
index=ndx sourcetype=srctp host=* ip=* earliest=-336h | eval when=_time | table host ip _time when | outputlookup twoweeks.csv Follow-on:
| inputlookup twoweeks.csv | eval filter=now()-86400 | where when>filter | table host ip _time July 31, 2020 at 01:11PM
via reddit https://www.reddit.com/r/Splunk/comments/i18u05/i_want_to_run_a_14_day_search_but_only_alert_on/fzvwce5?utm_source=ifttt