The AggregateAlert datatype for the configuration of an aggregate alert.

Table: AggregateAlert

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Sep 30, 2025
actions[Action]yes Long-TermList of actions to fire on query result. See Action.
allowedActions[AssetAction]yes Short-TermList of actions allowed to fire on query result. See AssetAction .
createdInfoAssetCommitMetadata  Long-TermMetadata related to the creation of the aggregate alert. See AssetCommitMetadata.
descriptionstring  Long-TermDescription of the aggregate alert.
enabledbooleanyes Long-TermFlag indicating whether the aggregate alert is enabled.
idstringyes Long-TermUnique identifier of of the aggregate alert.
labels[string]yes Long-TermLabels attached to the aggregate alert.
lastErrorstring  Long-TermLast error encountered while running the aggregate alert.
lastSuccessfulPolllong  Long-TermUnix timestamp for last successful poll of the aggregate alert query. If this isn't very recent, the alert might have problems.
lastTriggeredlong  Long-TermUnix timestamp for last execution of trigger.
lastWarnings[string]yes Long-TermLast warnings encountered while running the aggregate alert.
modifiedInfoModifiedInfoyes Long-TermUser or token used to modify the asset. See ModifiedInfo.
namestringyes Long-TermName of the aggregate alert.
packagePackageInstallation  Long-TermThe package of which the aggregate alert was installed. See PackageInstallation.
packageIdVersionedPackageSpecifier  Long-TermThe unique identifier of the package of the aggregate alert template. VersionedPackageSpecifier is a scalar.
queryOwnershipQueryOwnershipyes Long-TermOwnership of the query run by this alert. See QueryOwnership.
queryStringstringyes Long-TermLogScale query to execute.
queryTimestampTypeQueryTimestampTypeyes Long-TermTimestamp type to use for a query. See QueryTimestampType and the FAQ: How to handle ingest delays in aggregate alerts and scheduled searches KB article.
resourcestringyes Short-TermThe resource identifier for the aggregate alert.
searchIntervalSecondslongyes Long-TermSearch interval in seconds.
throttleFieldstring  Long-TermA field to throttle on.
throttleTimeSecondslongyes Long-TermThrottle time in seconds.
triggerModeTriggerModeyes Long-TermTrigger mode used for triggering the alert. See TriggerMode and the FAQ: How to handle ingest delays in aggregate alerts and scheduled searches KB article.
yamlTemplateYAMLyes Long-TermThe yaml specification of the aggregate alert. YAML is a scalar.