I think I am closer to the answer now, still need to do a lot of verification. For my needs, I think the second solution was a bit closer. Where I wound up:
index=notable source="*"
| search NOT `suppression`
| `get_event_hash`
| dedup event_hash
| fields * | table *
| where [search index=snaplec sourcetype=syslog-og | rex field=bridgeMsg hash:\s+[\d.]+\s+(?<event_hash>(\S+))"
| fields event_hash
| dedup event_hash ]
| table event_hash _time search_name
| rename event_hash as Notable, _time as Time, search_name as “Rule Name”
... View more