FAQ: Distributed Cloud AIP displays no suppression results on Alerts page


I suppress an event from the Alerts page. When I click the Test Filter button, I don’t see any events that match the suppression.

Root Causes

There are two possible causes for this issue:

The event that contributed to the alert falls outside of the retention period.

The Test Filter button connects to the raw events stream, not the contributing events stream. More information on the differences between raw and contributing events here. As a result, F5 Distributed Cloud App Infrastructure Protection (AIP) only returns potential suppressions that match raw events that fall within your company’s event retention policy (one or three days). Contributing events, which Distributed Cloud AIP retains for one full calendar year from the date of the triggered alert, will not display in the potential suppression results and, if you apply the suppression rule, will not retroactively suppress.

The data in the raw event search is different than the data in the alert search.

The Test Filter button connects to the raw events stream. The raw event search contains augmented data. However, the alert search contains raw data. If you click the Test Filter button on the Alerts page, then Distributed Cloud AIP is using the raw event search to return potential suppression results. Since the raw event search includes augmented data, it may not return potential suppressions that match raw alert data.

Was this article helpful?
0 out of 0 found this helpful