There are built in macros that can assist with what you're trying to do.
`notable` | search NOT `suppression`
And you can take it from there with however else you want to proceed. We use one like this in a bubble chart viz to track notables that aren't suppressed, and their delta over the previous day, over 30 days.
`notable` | search eventtype!=notable_suppression* | bin _time span=24h |stats count by _time, search_name | streamstats window=2 global=f current=t first(count) as previous by search_name | eval delta=count-previous | eval time=_time | table search_name, time, delta, count
Another option would be to use the
That will only track notables that have been actioned somehow (hence tracked in the incident review KV store).
More information can be found here: http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA
Hope that helps!