createActionFromPackageTemplate()

API Stability	`Long-Term`

The createActionFromPackageTemplate() GraphQL mutation field may be used to create an action from a package action template.

For more information on creating an action, see the Actions documentation page. You may also want to look at the Packages page for related information.

Syntax

Below is the syntax for the createActionFromPackageTemplate() mutation field:

graphql

createActionFromPackageTemplate(
      viewName: string!
      packageId: VersionedPackageSpecifier!
      actionTemplateName: string!
      overrideName: string
   ): CreateActionFromPackageTemplateMutation!

For the package identifier, you'll have to enter the name of package, followed by an ampersand and the version number. As for the returned parameters, see the section here. Below is an example that may make the syntax easier to understand:

Show:

graphql

mutation {
  createActionFromPackageTemplate(
         viewName: "humio", 
         packageId: "crowdstrike/logscale-slack@1.0.0", 
         actionTemplateName: "Slack")
  {action {name, isAllowedToRun, allowedActions} }
}

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createActionFromPackageTemplate( ^
         viewName: \"humio\",  ^
         packageId: \"crowdstrike/logscale-slack@1.0.0\",  ^
         actionTemplateName: \"Slack\") ^
  {action {name, isAllowedToRun, allowedActions} } ^
}" ^
} '

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Example Responses

Show:

json

{
  "data": {
    "createActionFromPackageTemplate": {
      "action": {
        "name": "Slack",
        "isAllowedToRun": true,
        "allowedActions": [
          "Read",
          "Update"
        ]
      }
    }
  }
}

Given and Returned Datatypes

The given datatype VersionedPackageSpecifier is just a scalar. However, the returned datatype CreateActionFromPackageTemplateMutation has one parameter and several sub-parameters:

Table: CreateActionFromPackageTemplateMutation

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Mar 25, 2025
`action`	`action`	yes	`Long-Term`	The action to create from a package template. See `Action`.

GraphQL Mutations

GraphQL API Stability

GraphQL Queries

GraphQL Datatypes