Security Requirements and Controls
API Stability Long-Term

The createActionFromTemplate() GraphQL mutation is used to create an action from a yaml template.

Similar to this mutation is the createActionFromPackageTemplate() mutation for creating an action from a package's action template. There are also a set of queries for extracting other asset types from a YAML template: generateAlertFromTemplate(), generateAggregateAlertFromTemplate(), and generateFilterAlertFromTemplate() for alerts, aggregate alerts and filter alerts; generateScheduledSearchFromTemplate() for generating a scheduled search from a template.

To update an action, you'll need to use the specific mutation for the type of action, such as updateEmailAction()) for an email action, and updateSlackAction() for a Slack action. Scan the bottom of the left margin for more actions to update. You can use deleteActionV2() to delete any action.

For more information on creating an action, see the Actions documentation page.

Syntax

graphql
createActionFromTemplate(
      input: CreateActionFromTemplateInput!
   ): Action!

For the given datatype, you'll have to provide the yamlTemplate parameter with a YAML template within quotes. That can be complicated. You might try copying one from a package template for a starting point, and then edit it to your needs. See createActionFromPackageTemplate() .

Example

Below is an example of how this mutation field might be used:

Raw
graphql
mutation {
  createActionFromTemplate(input:
        {viewName: "humio", 
         name: "test-action", 
         yamlTemplate: "name: Actor\nmethod: POST ... " } )
  { id, name, isAllowedToRun }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createActionFromTemplate(input:
        {viewName: \"humio\", 
         name: \"test-action\", 
         yamlTemplate: \"name: Actor\nmethod: POST ... \" } )
  { id, name, isAllowedToRun }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createActionFromTemplate(input:
        {viewName: \"humio\", 
         name: \"test-action\", 
         yamlTemplate: \"name: Actor\nmethod: POST ... \" } )
  { id, name, isAllowedToRun }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createActionFromTemplate(input: ^
        {viewName: \"humio\",  ^
         name: \"test-action\",  ^
         yamlTemplate: \"name: Actor\nmethod: POST ... \" } ) ^
  { id, name, isAllowedToRun } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createActionFromTemplate(input:
        {viewName: \"humio\", 
         name: \"test-action\", 
         yamlTemplate: \"name: Actor\nmethod: POST ... \" } )
  { id, name, isAllowedToRun }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  createActionFromTemplate(input:
        {viewName: \"humio\", 
         name: \"test-action\", 
         yamlTemplate: \"name: Actor\nmethod: POST ... \" } )
  { id, name, isAllowedToRun }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createActionFromTemplate(input:
        {viewName: \"humio\", 
         name: \"test-action\", 
         yamlTemplate: \"name: Actor\nmethod: POST ... \" } )
  { id, name, isAllowedToRun }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createActionFromTemplate(input:
        {viewName: \"humio\", 
         name: \"test-action\", 
         yamlTemplate: \"name: Actor\nmethod: POST ... \" } )
  { id, name, isAllowedToRun }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Example Responses
Success (HTTP Response Code 200 OK)
json
{
  "data": {
    "createActionFromTemplate": {
      "id": "2zLdPUtUOtvi7htJTqNavETrnkODcz86",
      "name": "test-action",
      "isAllowedToRun": true
    }
  }
}

Given Datatype

For this input datatype, you would provide the name of the view associated with the action to create, and the YAML specification of the action. These parameters are listed and explained in the table below:

Table: CreateActionFromTemplateInput

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Sep 17, 2024
namestringyes Long-TermThe name of the action.
viewNamestringyes Long-TermThe name of the view of the action.
yamlTemplateYAMLyes Long-TermA template that can be used to recreate the action. YAML is a scalar.

Returned Datatype

With the returned datatype you can get a list allowed actions, when the action was created and modified last and by whom, and other items. Below is a list of the return parameters you can specify:

Table: Action

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Sep 30, 2025
allowedActions[AssetAction]yes Short-TermA list of allowed asset actions. See AssetAction.
createdInfoAssetCommitMetadata  Long-TermMetadata related to the creation of the action. See AssetCommitMetadata.
displayNamestringyes Long-TermThe display name of the action.
idstringyes Long-TermThe unique identifier of the action.
isAllowedToRunbooleanyes Long-TermWhether the action is allowed to run. Should be false if this type of action is disabled because of a security policy.
labels[string]yes PreviewLabels attached to the action.
modifiedInfoAssetCommitMetadata  Long-TermMetadata related to the latest modification of the action. See AssetCommitMetadata.
namestringyes Long-TermThe name of the action.
packagePackageInstallation  Long-TermThe package, if any, of which the action is part. See PackageInstallation.
packageIdVersionedPackageSpecifier  Long-TermThe unique identifier of the package. See VersionedPackageSpecifier.
requiresOrganizationOwnedQueriesPermissionToEditbooleanyes Long-TermThis should be set to true if this action is used by triggers, where the query is run by the organization. If true, then the OrganizationOwnedQueries permission is required to edit the action.
resourcestringyes Short-TermThe resource identifier for the action.
yamlTemplateYAMLyes Long-TermA template that can be used to recreate the action. YAML is a scalar.