The createActionFromPackageTemplate() GraphQL mutation field may be used to create an action from a package action template.

For more information on creating an action, see the Actions documentation page. You may also want to look at the Packages page for related information.

Syntax

Below is the syntax for the createActionFromPackageTemplate() mutation field:

graphql
createActionFromPackageTemplate(
      viewName: string!
      packageId: VersionedPackageSpecifier!
      actionTemplateName: string!
      overrideName: string
   ): CreateActionFromPackageTemplateMutation!

For the package identifier, you'll have to enter the name of package, followed by an ampersand and the version number. As for the returned parameters, see the section here. Below is an example that may make the syntax easier to understand:

Raw
graphql
mutation {
  createActionFromPackageTemplate(
         viewName: "humio", 
         packageId: "crowdstrike/logscale-slack@1.0.0", 
         actionTemplateName: "Slack")
  {action {name, isAllowedToRun, allowedActions} }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createActionFromPackageTemplate( ^
         viewName: \"humio\",  ^
         packageId: \"crowdstrike/logscale-slack@1.0.0\",  ^
         actionTemplateName: \"Slack\") ^
  {action {name, isAllowedToRun, allowedActions} } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Example Responses
Success (HTTP Response Code 200 OK)
json
{
  "data": {
    "createActionFromPackageTemplate": {
      "action": {
        "name": "Slack",
        "isAllowedToRun": true,
        "allowedActions": [
          "Read",
          "Update"
        ]
      }
    }
  }
}

Given and Returned Datatypes

The given datatype VersionedPackageSpecifier is just a scalar. However, the returned datatype CreateActionFromPackageTemplateMutation has its own parameter:

Table: CreateActionFromPackageTemplateMutation

ParameterTypeRequiredDefaultDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 24, 2024
ActionActionyes The action to create from a package template. See Action.