createActionFromPackageTemplate()

Summary

The createActionFromPackageTemplate() GraphQL mutation field may be used to create an action from a package action template.

Similar to this mutation is the createActionFromTemplate() mutation for creating an action from an action template. There are also a set of queries for extracting a YAML template from a package for creating other asset types: generateAlertFromPackageTemplate(), generateAggregateAlertFromPackageTemplate(), and generateFilterAlertFromPackageTemplate() for alerts, aggregate alerts and filter alerts; generateScheduledSearchFromPackageTemplate() for generating a scheduled search.

To update an action, you'll need to use the specific mutation for the type of action, such as updateEmailAction()) for an email action, and updateSlackAction() for a Slack action. Scan the bottom of the left margin for more actions to update. You can use deleteActionV2() to delete any action. You can add labels to actions with the addActionLabels() mutation.

Hide Query Example

Show Available Action Templates Query

To see action templates available in an installed package, you could use the installedPackage() query:

graphql

query {
      installedPackage(
          packageId: "humio/insights@0.0.14",
          viewName: "humio" )
        { actionTemplates { name, type, displayName } }
}

For more information on creating an action, see the Actions documentation page. You may also want to look at the Package Management page for related information.

API Stability Long-Term

Syntax

graphql

createActionFromPackageTemplate(
      viewName: string!,
      packageId: VersionedPackageSpecifier!,
      actionTemplateName: string!,
      overrideName: string
   ): CreateActionFromPackageTemplateMutation!

For the input, you would provide the name of the view, the unique identifier of the package, the action template's name, and a new name for the action. Click on the Show Query for an example of how to find this information.

For the results, you can get plenty of information on the action. See the Returned Values section for more.

Hide Query Example

Show Installed Packages Query

To see all installed packages for a repository and action templates available, you could use the repository() query:

graphql

query {
      repository( name: "our-repository" ) 
        { installedPackages { id, 
          package { actionTemplates { name, displayName, 
                                      type, yamlTemplate} }
         } 
      }
   }

Example

Raw

graphql

mutation {
  createActionFromPackageTemplate(
         viewName: "humio", 
         packageId: "crowdstrike/logscale-slack@1.0.0", 
         actionTemplateName: "Slack")
  {action {name, isAllowedToRun, allowedActions} }
}

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}
EOF

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}
EOF

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createActionFromPackageTemplate( ^
         viewName: \"humio\",  ^
         packageId: \"crowdstrike/logscale-slack@1.0.0\",  ^
         actionTemplateName: \"Slack\") ^
  {action {name, isAllowedToRun, allowedActions} } ^
}" ^
} '

Windows Powershell and curl

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Example Responses

Success (HTTP Response Code 200 OK)

json

{
  "data": {
    "createActionFromPackageTemplate": {
      "action": {
        "name": "Slack",
        "isAllowedToRun": true,
        "allowedActions": [
          "Read",
          "Update"
        ]
      }
    }
  }
}

Input Parameters

For the input, you would provide the name of the view, the unique identifier of the package, the action template's name, and a new name for the action. Click on the Show Query link in the Syntax section for an example of how to get these details.

Table: Input Parameters & Datatypes

Parameter	Type	Required	Description
This table contains all input parameters for this mutation.
actionTemplateName	string	yes	The name of the action template contained in the package.
overrideName	string		An alternative name for the action.
packageId	string	yes	The unique identifier of the package.
VersionedPackageSpecifier	string	yes	The package version. VersionedPackageSpecifier is a scalar.
viewName	string	yes	The name of the view.

Returned Values

For the results, you can get a list allowed actions, and other information related to the action, such as default settings of which you may be unaware when it was created. Below is a list of the return values you can request:

Table: CreateActionFromPackageTemplateMutation Datatype

Parameter	Type	Required	Stability	Description
Some input parameters may be required, as indicated in the Required column. For return values, this indicates that you are assured a value if the field is requested for the results.
Table last updated: Mar 25, 2025
action	Action	yes	`Long-Term`	The action to create from a package template. See Action.

The datatype above uses another datatype for getting information on an action. For your convenience, the table for that sub-datatype is included here:

Table: Action Datatype

Parameter	Type	Required	Stability	Description
Some input parameters may be required, as indicated in the Required column. For return values, this indicates that you are assured a value if the field is requested for the results.
Table last updated: Sep 30, 2025
allowedActions	[AssetAction]	yes	`Short-Term`	A list of allowed asset actions. See AssetAction.
createdInfo	AssetCommitMetadata		`Long-Term`	Metadata related to the creation of the action. See AssetCommitMetadata.
displayName	string	yes	`Long-Term`	The display name of the action.
id	string	yes	`Long-Term`	The unique identifier of the action.
isAllowedToRun	boolean	yes	`Long-Term`	Whether the action is allowed to run. Should be false if this type of action is disabled because of a security policy.
labels	[string]	yes	`Preview`	Labels attached to the action.
modifiedInfo	AssetCommitMetadata		`Long-Term`	Metadata related to the latest modification of the action. See AssetCommitMetadata.
name	string	yes	`Long-Term`	The name of the action.
package	PackageInstallation		`Long-Term`	The package, if any, of which the action is part. See PackageInstallation.
packageId	VersionedPackageSpecifier		`Long-Term`	The unique identifier of the package. See VersionedPackageSpecifier.
requiresOrganizationOwnedQueriesPermissionToEdit	boolean	yes	`Long-Term`	This should be set to true if this action is used by triggers, where the query is run by the organization. If true, then the OrganizationOwnedQueries permission is required to edit the action.
resource	string	yes	`Short-Term`	The resource identifier for the action.
yamlTemplate	YAML	yes	`Long-Term`	A template that can be used to recreate the action. YAML is a scalar.

Versions of this Page

GraphQL Mutations

GraphQL API

GraphQL API Stability

GraphQL Queries

GraphQL Datatypes