By default, the JSON operator optimizes results by dropping messages that don't have the fields or keys specified in your query or if the JSON is invalid. When a message is dropped the user interface provides a warning message:
This is only a warning message to inform you that at least one log returned in the scope of the query did not have a specified key.
Use the nodrop option to prevent this optimization. For example, the following query is looking for the key
event and it has specified not to drop messages that do not have this key:
| json "event" nodrop
You can remove the warning about the key not being found by specifying the key(s) you need in the scope of the query, like this:
| json "event"
event is specified in the scope of the query, the JSON operator will only get logs that have
event in them.