I figured out a workaround to this. By adding the following to the end of my correlation rule it checks the suppressed eventtypes first to see if there are anything that is suppressed with matching fields. If it find anything with matching fields that hasn't expired it doesn't return any results so the emails/tickets/notable/adaptive response actions are not triggered. | search NOT [ | 'suppression_eventtypes ' | eval _raw = search | extract | search source = "insert correlation rule name here" | eval tnow = now() | where tnow > start_time AND tnow ] suppression _eventtypes is a macro.. | rest splunk_server=local count=0 /services/saved/eventtypes | search title=notable_suppression* | rename title as eventtype | rex field=eventtype "notable_suppression-(?.+)" | rex field=search "_time>=?(?\d+)" | rex field=search "_time<=?(?\d+)" ... View more

suppression _eventtypes is a macro.. | rest splunk_server=local count=0 /services/saved/eventtypes | search title=notable_suppression* | rename title as eventtype | rex field=eventtype "notable_suppression-(?.+)" | rex field=search "_time>=?(?\d+)" | rex field=search "_time<=?(?\d+)" ... View more

I figured out a workaround to this. By adding the following to the end of my correlation rule it checks the suppressed eventtypes first to see if there are anything that is suppressed with matching fields. If it find anything with matching fields that hasn't expired it doesn't return any results so the emails/tickets/notable/adaptive response actions are not triggered. | search NOT [ | suppression_eventtypes | eval _raw = search | extract | search source = " " | eval tnow = now() | where tnow > start_time AND tnow | table ] ... View more

I ended up using the following queries to get the desired results sourcetype=linux_secure user=* ("Accepted Publickey" OR "session opened" OR "Accepted password") | stats latest(eval(if(vendor_action="session opened",_time, null()))) as logon_time by host user | eval logon_time=if(isint(logon_time),strftime(logon_time, "%b %d, %I:%M %p"), logon_time) | sort –count | stats list(user) as user, list(logon_time) as logon_time by host OR sourcetype=linux_secure source="/var/log/secure" (user=* OR ruser=*) ("Accepted Publickey" OR "session opened" OR "Accepted password") | eval logon_time =if(action="success",_time, null()) | stats latest(logon_time) as logon_time by host user | eval logon_time=if(isint(logon_time),strftime(logon_time, "%b %d, %I:%M %p"), logon_time) | stats list(*) as * by host | sort -logon_time Both seemed to work. ... View more

Thanks that helped! ... View more

That didn't seem to work for me unfortunately. Nothing resolved at all. I need it to show the latest/most recent logon event for the individual/unique user listed by Linux host. ... View more