Hi Randy,
As long as you have a logging profile applied to the virtual server (under the resources tab within the virtual server settings) it should be logging the requests that led to the suggestion. They should appear under the suggestion when you select it in the GUI. That being said, depending on the suggestion there might not be any examples. It could simply be that your policy tightening settings are making the suggestion. You can find those settings in the GUI under Security ›› Application Security : Policy Building : Learning and Blocking Settings >> Policy Building Process >> Tighten Policy (stabilize).
Sometimes, when a policy suggests enabling certain violations that are not already enabled, it is determining how many requests it has processed that have NOT triggered the violation. So if you see a learning suggestion that says it has seen X number of requests but there are no examples of those requests it is basically saying "We've detected X number of requests that are clean of the behavior that would trigger the violation, therefor we are assuming normal site operation will not trigger these violations". So some of those learning suggestions are to tighten the policy and enable blocking for those violations since it has been determined that the normal traffic for the application does not typically trigger the violation.
In short, depending on the learning suggestion that you are seeing, the policy could simply be suggesting that you enable those violations because it is seeing that the vast majority of the traffic does NOT trigger those violations.
I hope that this makes sense. If it doesn't or if you are able to provide an example of one of the suggestions then feel free to let me know and I can potentially take a closer look.
-Nathan F
Nimbostratus
