Interesting that you mention 30 suppressions maximum, as that seems to be some limit that displays in the Web UI, and it seems to be related to a recent upgrade from ES 4.0.1 to ES 4.1.3, as it used to not be the case for us.
We have ~300 suppressions that all used to show up under Configure --> Incident Management --> Notable Event Suppressions, but now it only displays 30 of them. However, all of the other ~270 are still there and working. You can see them in the Web UI:
Settings > Event types.
Search suppression event types using: notable_suppression-*
Or you can see them in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/eventtypes.conf
That said, I know that doesn't answer your question completely. For us it was important that we allowed our analysts the ability to implement suppressions based on an IP address or user for a specific notable, so we've given them the ability to do so.
What I still want to implement though, is a process by which we Audit those suppressions and consolidate/review as necessary.
Hope that helps.
... View more