createAggregateAlert()

API Stability	`Long-Term`

The createAggregateAlert() GraphQL mutation is used to create an aggregate alert.

For more information on aggregate alerts, see the Aggregate alerts documentation page.

Syntax

Below is the syntax for the createAggregateAlert() mutation field:

graphql

createAggregateAlert(
      input: CreateAggregateAlert!
   ): AggregateAlert!

Below is an example of how this mutation field might be used:

Show:

graphql

mutation {
  createAggregateAlert(input:
        {viewName: "humio", 
         name: "watch-for-sneak",
         queryString: "@host=*sneak*"
         actionIdsOrNames: "email-admin",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createAggregateAlert(input: ^
        {viewName: \"humio\",  ^
         name: \"watch-for-sneak\", ^
         queryString: \"@host=*sneak*\" ^
         actionIdsOrNames: \"email-admin\", ^
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000, ^
         queryTimestampType: EventTimestamp, ^
         queryOwnershipType: Organization ^
        } ) ^
  { id, name } ^
}" ^
} '

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Given Datatypes

For CreateAggregateAlert, there are many parameters. Below is a list of them along with descriptions of each:

Table: CreateAggregateAlert

Parameter	Type	Required	Default	Stability	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Mar 28, 2025
`actionIdsOrNames`	[string]	yes		`Long-Term`	List of unique identifiers or names for actions to fire on query result. Actions in packages can be referred to as `packagescope/packagename:actionname`. The default value is an empty list of actions.
`description`	string			`Long-Term`	Description of the aggregate alert.
`enabled`	boolean	yes	true	`Long-Term`	Flag indicating whether the aggregate alert is enabled.
`labels`	[string]	yes	[ ]	`Long-Term`	Labels attached to the aggregate alert. The default value is an empty list of labels.
`name`	string	yes		`Long-Term`	Name of the aggregate alert.
`queryOwnershipType`	`QueryOwnershipType`	yes		`Long-Term`	Ownership of the query run by this aggregate alert. If value is User, ownership will be based on the runAsUserId field. See `QueryOwnershipType`.
`queryString`	string	yes		`Long-Term`	LogScale query to execute.
`queryTimestampType`	`QueryTimestampType`	yes		`Long-Term`	Timestamp type to use for a query. See `QueryTimestampType`.
`runAsUserId`	string			`Long-Term`	The aggregate alert will run with the permissions of the user corresponding to this id if the queryOwnershipType field is set to User. If the queryOwnershipType is set to Organization, whilst runAsUserId is set, this will result in an error. If not specified, the aggregate alert will run with the permissions of the calling user. It requires the 'ChangeTriggersToRunAsOtherUsers' permission to set this field to a user id different from the calling user.
`searchIntervalSeconds`	long	yes		`Long-Term`	Search interval in seconds. Valid values: 1-80 minutes in seconds divisible by 60 (60, 120, ..., 4800 seconds); 82-180 minutes in seconds divisible by 120 (4920, 5040, ..., 10800 seconds); and 4-24 hours in seconds divisible by 3600 (14400, 18000, ..., 86400 seconds).
`throttleField`	string			`Long-Term`	A field to throttle on. Can only be set if throttleTimeSeconds is set.
`throttleTimeSeconds`	long	yes		`Long-Term`	Throttle time in seconds.
`triggerMode`	`TriggerMode`			`Long-Term`	Trigger mode used for triggering the alert. See `TriggerMode`.
`viewName`	`RepoOrViewName`	yes		`Long-Term`	Name of the view of the aggregate alert. `RepoOrViewName` is a scalar.

Returned Datatypes

AggregateAlert also has many parameters. Below is a list of them along with descriptions of each:

Table: AggregateAlert

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Mar 25, 2025
`actions`	[`Action`]	yes	`Long-Term`	List of actions to fire on query result. See `Action`.
`allowedActions`	[`AssetAction`]	yes	`Preview`	List of actions allowed to fire on query result. See `AssetAction`.
`description`	string		`Long-Term`	Description of the aggregate alert.
`enabled`	boolean	yes	`Long-Term`	Flag indicating whether the aggregate alert is enabled.
`id`	string	yes	`Long-Term`	Unique identifier of of the aggregate alert.
`labels`	[string]	yes	`Long-Term`	Labels attached to the aggregate alert.
`lastError`	string		`Long-Term`	Last error encountered while running the aggregate alert.
`lastSuccessfulPoll`	long		`Long-Term`	Unix timestamp for last successful poll of the aggregate alert query. If this isn't very recent, the alert might have problems.
`lastTriggered`	long		`Long-Term`	Unix timestamp for last execution of trigger.
`lastWarnings`	[string]	yes	`Long-Term`	Last warnings encountered while running the aggregate alert.
`modifiedInfo`	`ModifiedInfo`	yes	`Preview`	Information about the aggregate alert that was modified. See `ModifiedInfo`.
`name`	string	yes	`Long-Term`	Name of the aggregate alert.
`package`	`PackageInstallation`		`Long-Term`	The package of which the aggregate alert was installed. See `PackageInstallation`.
`packageId`	`VersionedPackageSpecifier`		`Long-Term`	The unique identifier of the package of the aggregate alert template. `VersionedPackageSpecifier` is a scalar.
`queryOwnership`	`queryOwnership`	yes	`Long-Term`	Ownership of the query run by this alert. See `queryOwnership`.
`queryString`	string	yes	`Long-Term`	LogScale query to execute.
`queryTimestampType`	`QueryTimestampType`	yes	`Long-Term`	Timestamp type to use for a query. See `QueryTimestampType` and the FAQ: How Does LogScale Handle Ingest Delays in Aggregate Alerts KB article.
`resource`	string	yes	`Short-Term`	The resource identifier for the aggregate alert.
`searchIntervalSeconds`	long	yes	`Long-Term`	Search interval in seconds.
`throttleField`	string		`Long-Term`	A field to throttle on.
`throttleTimeSeconds`	long	yes	`Long-Term`	Throttle time in seconds.
`triggerMode`	`TriggerMode`	yes	`Long-Term`	Trigger mode used for triggering the alert. See `TriggerMode` and the FAQ: How Does LogScale Handle Ingest Delays in Aggregate Alerts KB article.
`yamlTemplate`	`yaml`	yes	`Long-Term`	YAML specification of the aggregate alert.

GraphQL Mutations

GraphQL API Stability

GraphQL Queries

GraphQL Datatypes