The createAggregateAlert() GraphQL mutation is used to create an aggregate alert.

For more information on aggregate alerts, see the Aggregate Alerts documentation page.

Syntax

Below is the syntax for the createAggregateAlert() mutation field:

graphql
createAggregateAlert(
      input: CreateAggregateAlert!
   ): AggregateAlert!

Given Datatypes

For the input, CreateAggregateAlert, there are a couple of parameters that may be given. Below is a list of them along with their datatypes and a description of each:

Table: CreateAggregateAlert

ParameterTypeRequired[a]DefaultDescription
viewNameRepoOrViewNameyes Name of the view of the aggregate alert.
namestringyes Name of the aggregate alert.
descriptionstring  Description of the aggregate alert.
queryStringstringyes LogScale query to execute.
actionIdsOrNames[string] = []yes List of unique identifiers or names for actions to fire on query result. Actions in packages can be referred to as packagescope/packagename:actionname. The default value is an empty list of actions.
labels[string] = []yes Labels attached to the aggregate alert. The default value is an empty list of labels.
enabledbooleanyes Flag indicating whether the aggregate alert is enabled.
throttleTimeSecondslongyes Throttle time in seconds.
throttleFieldstring  A field to throttle on. Can only be set if throttleTimeSeconds is set.
searchIntervalSecondslongyes Search interval in seconds. Valid values: 1-80 minutes in seconds divisible by 60 (60, 120, ..., 4800 seconds); 82-180 minutes in seconds divisible by 120 (4920, 5040, ..., 10800 seconds); and 4-24 hours in seconds divisible by 3600 (14400, 18000, ..., 86400 seconds).
queryTimestampTypeQueryTimestampTypeyes Timestamp type to use for a query.
triggerModeTriggerMode  Trigger mode used for triggering the alert.
runAsUserIdstring  The aggregate alert will run with the permissions of the user corresponding to this id if the queryOwnershipType field is set to User. If the queryOwnershipType is set to Organization, whilst runAsUserId is set, this will result in an error. If not specified, the aggregate alert will run with the permissions of the calling user. It requires the 'ChangeTriggersToRunAsOtherUsers' permission to set this field to a user id different from the calling user.
queryOwnershipTypeQueryOwnershipTypeyes Ownership of the query run by this aggregate alert. If value is User, ownership will be based on the runAsUserId field.

[a] Some arguments may be required, as indicated in this column. For some fields, this column indicates that a result will always be returned for it.


Returned Datatypes

The returned datatype AggregateAlert has its own parameters. Below is a list of them along with their datatypes and a description of each:

Table: AggregateAlert

ParameterTypeRequired[a]DefaultDescription
idstringyes Unique identifier of of the aggregate alert.
namestringyes Name of the aggregate alert.
descriptionstring  Description of the aggregate alert.
queryStringstringyes LogScale query to execute.
actions[Action]yes List of actions to fire on query result.
labels[string]yes Labels attached to the aggregate alert.
enabledbooleanyes Flag indicating whether the aggregate alert is enabled.
throttleTimeSecondslongyes Throttle time in seconds.
throttleFieldstring  A field to throttle on.
searchIntervalSecondslongyes Search interval in seconds.
queryTimestampTypeQueryTimestampTypeyes Timestamp type to use for a query. See the querytimestamptype table and the FAQ: How Does LogScale Handle Ingest Delays in Aggregate Alerts KB article.
triggerModeTriggerModeyes Trigger mode used for triggering the alert. See the triggermode table and the FAQ: How Does LogScale Handle Ingest Delays in Aggregate Alerts KB article.
lastTriggeredlong  Unix timestamp for last execution of trigger.
lastSuccessfulPolllong  Unix timestamp for last successful poll of the aggregate alert query. If this isn't very recent, the alert might have problems.
lastErrorstring  Last error encountered while running the aggregate alert.
lastWarnings[string]yes Last warnings encountered while running the aggregate alert.
yamlTemplateYAMLyes YAML specification of the aggregate alert.
packageIdVersionedPackageSpecifier  The unique identifier of the package of the aggregate alert template.
packagePackageInstallation  The package of which the aggregate alert was installed.
queryOwnershipQueryOwnershipyes Ownership of the query run by this alert.

[a] Some arguments may be required, as indicated in this column. For some fields, this column indicates that a result will always be returned for it.