The AggregateAlert datatype includes various settings.

Table: AggregateAlert

ParameterTypeRequired[a]DefaultDescription
idstringyes Unique identifier of of the aggregate alert.
namestringyes Name of the aggregate alert.
descriptionstring  Description of the aggregate alert.
queryStringstringyes LogScale query to execute.
actions[Action]yes List of actions to fire on query result.
labels[string]yes Labels attached to the aggregate alert.
enabledbooleanyes Flag indicating whether the aggregate alert is enabled.
throttleTimeSecondslongyes Throttle time in seconds.
throttleFieldstring  A field to throttle on.
searchIntervalSecondslongyes Search interval in seconds.
queryTimestampTypeQueryTimestampTypeyes Timestamp type to use for a query. See the querytimestamptype table and the FAQ: How Does LogScale Handle Ingest Delays in Aggregate Alerts KB article.
triggerModeTriggerModeyes Trigger mode used for triggering the alert. See the triggermode table and the FAQ: How Does LogScale Handle Ingest Delays in Aggregate Alerts KB article.
lastTriggeredlong  Unix timestamp for last execution of trigger.
lastSuccessfulPolllong  Unix timestamp for last successful poll of the aggregate alert query. If this isn't very recent, the alert might have problems.
lastErrorstring  Last error encountered while running the aggregate alert.
lastWarnings[string]yes Last warnings encountered while running the aggregate alert.
yamlTemplateYAMLyes YAML specification of the aggregate alert.
packageIdVersionedPackageSpecifier  The unique identifier of the package of the aggregate alert template.
packagePackageInstallation  The package of which the aggregate alert was installed.
queryOwnershipQueryOwnershipyes Ownership of the query run by this alert.

[a] Some arguments may be required, as indicated in this column. For some fields, this column indicates that a result will always be returned for it.