By default, the JSON operator optimizes results by dropping messages that don't have the fields or keys specified in your query or if the JSON is invalid. When a message is dropped the user interface provides a warning message:
This is only a warning message to inform you that at least one log returned in the scope of the query did not have a specified key.
Use the nodrop option to prevent this optimization. For example, the following query is looking for the key event and it has specified not to drop messages that do not have this key:
_sourceCategory="nginx"
| json "event" nodrop
You can remove the warning about the key not being found by specifying the key(s) you need in the scope of the query, like this:
_sourceCategory="nginx" "event"
| json "event"
Since event is specified in the scope of the query, the JSON operator will only get logs that have event in them.
Comments
0 comments
Please sign in to leave a comment.