The CreateAggregateAlert
input includes various settings.
Table: CreateAggregateAlert
| Parameter | Type | Required | Default | Stability | Description |
|---|---|---|---|---|---|
| Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column. | |||||
| Table last updated: Mar 28, 2025 | |||||
actionIdsOrNames | [string] | yes | Long-Term | List of unique identifiers or names for actions to fire on query result. Actions in packages can be referred to as packagescope/packagename:actionname. The default value is an empty list of actions. | |
description | string | Long-Term | Description of the aggregate alert. | ||
enabled | boolean | yes | true | Long-Term | Flag indicating whether the aggregate alert is enabled. |
labels | [string] | yes | [ ] | Long-Term | Labels attached to the aggregate alert. The default value is an empty list of labels. |
name | string | yes | Long-Term | Name of the aggregate alert. | |
queryOwnershipType | QueryOwnershipType | yes | Long-Term | Ownership of the query run by this aggregate alert. If value is User, ownership will be based on the runAsUserId field. See QueryOwnershipType. | |
queryString | string | yes | Long-Term | LogScale query to execute. | |
queryTimestampType | QueryTimestampType | yes | Long-Term | Timestamp type to use for a query. See QueryTimestampType. | |
runAsUserId | string | Long-Term | The aggregate alert will run with the permissions of the user corresponding to this id if the queryOwnershipType field is set to User. If the queryOwnershipType is set to Organization, whilst runAsUserId is set, this will result in an error. If not specified, the aggregate alert will run with the permissions of the calling user. It requires the 'ChangeTriggersToRunAsOtherUsers' permission to set this field to a user id different from the calling user. | ||
searchIntervalSeconds | long | yes | Long-Term | Search interval in seconds. Valid values: 1-80 minutes in seconds divisible by 60 (60, 120, ..., 4800 seconds); 82-180 minutes in seconds divisible by 120 (4920, 5040, ..., 10800 seconds); and 4-24 hours in seconds divisible by 3600 (14400, 18000, ..., 86400 seconds). | |
throttleField | string | Long-Term | A field to throttle on. Can only be set if throttleTimeSeconds is set. | ||
throttleTimeSeconds | long | yes | Long-Term | Throttle time in seconds. | |
triggerMode | TriggerMode | Long-Term | Trigger mode used for triggering the alert. See TriggerMode. | ||
viewName | repoOrViewName | yes | Long-Term | Name of the view of the aggregate alert. repoOrViewName is a scalar. | |