createActionFromPackageTemplate()

API Stability Long-Term

The createActionFromPackageTemplate() GraphQL mutation field may be used to create an action from a package action template.

Similar to this mutation is the createActionFromTemplate() mutation for creating an action from an action template. There are also a set of queries for extracting a YAML template from a package for creating other asset types: generateAlertFromPackageTemplate(), generateAggregateAlertFromPackageTemplate(), and generateFilterAlertFromPackageTemplate() for alerts, aggregate alerts and filter alerts; generateScheduledSearchFromPackageTemplate() for generating a scheduled search.

To update an action, you'll need to use the specific mutation for the type of action, such as updateEmailAction()) for an email action, and updateSlackAction() for a Slack action. Scan the bottom of the left margin for more actions to update. You can use deleteActionV2() to delete any action.

Hide Query Example

Show Available Action Templates Query

To see action templates available in an installed package, you could use the installedPackage() query:

graphql

query {
      installedPackage(
          packageId: "humio/insights@0.0.14",
          viewName: "humio" )
        { actionTemplates { name, type, displayName } }
}

For more information on creating an action, see the Actions documentation page. You may also want to look at the Package Management page for related information.

Syntax

graphql

createActionFromPackageTemplate(
      viewName: string!,
      packageId: VersionedPackageSpecifier!,
      actionTemplateName: string!,
      overrideName: string
   ): CreateActionFromPackageTemplateMutation!

There are no special input datatypes for this mutation field. VersionedPackageSpecifier is a scalar. For the package identifier, enter the name of the package, followed by an ampersand and the version number. As for the returned parameters, see the section here. See the Example section to make the syntax easier to understand.

Example

Below is an example of how this mutation field might be used:

Raw

graphql

mutation {
  createActionFromPackageTemplate(
         viewName: "humio", 
         packageId: "crowdstrike/logscale-slack@1.0.0", 
         actionTemplateName: "Slack")
  {action {name, isAllowedToRun, allowedActions} }
}

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}
EOF

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}
EOF

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createActionFromPackageTemplate( ^
         viewName: \"humio\",  ^
         packageId: \"crowdstrike/logscale-slack@1.0.0\",  ^
         actionTemplateName: \"Slack\") ^
  {action {name, isAllowedToRun, allowedActions} } ^
}" ^
} '

Windows Powershell and curl

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createActionFromPackageTemplate(
         viewName: \"humio\", 
         packageId: \"crowdstrike/logscale-slack@1.0.0\", 
         actionTemplateName: \"Slack\")
  {action {name, isAllowedToRun, allowedActions} }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Example Responses

Success (HTTP Response Code 200 OK)

json

{
  "data": {
    "createActionFromPackageTemplate": {
      "action": {
        "name": "Slack",
        "isAllowedToRun": true,
        "allowedActions": [
          "Read",
          "Update"
        ]
      }
    }
  }
}

Returned Datatype

With the returned datatype you can get a list allowed actions, and other information related to the action, such as default settings of which you may be unaware when it was created. Below is a list of the return parameters you can specify:

Table: CreateActionFromPackageTemplateMutation

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Mar 25, 2025
action	Action	yes	`Long-Term`	The action to create from a package template. See Action.

Versions of this Page

GraphQL Mutations

GraphQL API Stability

GraphQL Queries

GraphQL Datatypes