The createAggregateAlert() GraphQL mutation is used to create an aggregate alert.

For more information on aggregate alerts, see the Aggregate Alerts documentation page.

Syntax

Below is the syntax for the createAggregateAlert() mutation field:

graphql
createAggregateAlert(
      input: CreateAggregateAlert!
   ): AggregateAlert!

Below is an example of how this mutation field might be used:

Raw
graphql
mutation {
  createAggregateAlert(input:
        {viewName: "humio", 
         name: "watch-for-sneak",
         queryString: "@host=*sneak*"
         actionIdsOrNames: "email-admin",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createAggregateAlert(input: ^
        {viewName: \"humio\",  ^
         name: \"watch-for-sneak\", ^
         queryString: \"@host=*sneak*\" ^
         actionIdsOrNames: \"email-admin\", ^
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000, ^
         queryTimestampType: EventTimestamp, ^
         queryOwnershipType: Organization ^
        } ) ^
  { id, name } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}'
"$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Given Datatypes

For the input, CreateAggregateAlert, there are a few parameters. Below is a list of them along with a description of each:

Table: CreateAggregateAlert

ParameterTypeRequiredDefaultDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 17, 2024
actionIdsOrNames[string]yes List of unique identifiers or names for actions to fire on query result. Actions in packages can be referred to as packagescope/packagename:actionname. The default value is an empty list of actions.
descriptionstring  Description of the aggregate alert.
enabledbooleanyes Flag indicating whether the aggregate alert is enabled.
labels[string]yes Labels attached to the aggregate alert. The default value is an empty list of labels.
namestringyes Name of the aggregate alert.
queryOwnershipTypeQueryOwnershipTypeyes Ownership of the query run by this aggregate alert. If value is User, ownership will be based on the runAsUserId field. See QueryOwnershipType.
queryStringstringyes LogScale query to execute.
queryTimestampTypeQueryTimestampTypeyes Timestamp type to use for a query. See QueryTimestampType.
runAsUserIdstring  The aggregate alert will run with the permissions of the user corresponding to this id if the queryOwnershipType field is set to User. If the queryOwnershipType is set to Organization, whilst runAsUserId is set, this will result in an error. If not specified, the aggregate alert will run with the permissions of the calling user. It requires the 'ChangeTriggersToRunAsOtherUsers' permission to set this field to a user id different from the calling user.
searchIntervalSecondslongyes Search interval in seconds. Valid values: 1-80 minutes in seconds divisible by 60 (60, 120, ..., 4800 seconds); 82-180 minutes in seconds divisible by 120 (4920, 5040, ..., 10800 seconds); and 4-24 hours in seconds divisible by 3600 (14400, 18000, ..., 86400 seconds).
throttleFieldstring  A field to throttle on. Can only be set if throttleTimeSeconds is set.
throttleTimeSecondslongyes Throttle time in seconds.
triggerModeTriggerMode  Trigger mode used for triggering the alert. See TriggerMode.
viewNameRepoOrViewNameyes Name of the view of the aggregate alert. RepoOrViewName is a scalar.

Returned Datatypes

For AggregateAlert has its own parameters. Below is a list of them along with their datatypes and a description of each:

Table: AggregateAlert

ParameterTypeRequiredDefaultDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
actions[Action]yes List of actions to fire on query result. See Action.
allowedActions[AssetAction]yes List of actions allowed to fire on query result. See AssetAction.
descriptionstring  Description of the aggregate alert.
enabledbooleanyes Flag indicating whether the aggregate alert is enabled.
idstringyes Unique identifier of of the aggregate alert.
labels[string]yes Labels attached to the aggregate alert.
lastErrorstring  Last error encountered while running the aggregate alert.
lastSuccessfulPolllong  Unix timestamp for last successful poll of the aggregate alert query. If this isn't very recent, the alert might have problems.
lastTriggeredlong  Unix timestamp for last execution of trigger.
lastWarnings[string]yes Last warnings encountered while running the aggregate alert.
modifiedInfoModifiedInfoyes Information about the aggregate alert that was modified. See ModifiedInfo.
namestringyes Name of the aggregate alert.
packagePackageInstallation  The package of which the aggregate alert was installed. See PackageInstallation.
packageIdVersionedPackageSpecifier  The unique identifier of the package of the aggregate alert template. VersionedPackageSpecifier is a scalar.
queryOwnershipQueryOwnershipyes Ownership of the query run by this alert. See QueryOwnership.
queryStringstringyes LogScale query to execute.
queryTimestampTypeQueryTimestampTypeyes Timestamp type to use for a query. See QueryTimestampType and the FAQ: How Does LogScale Handle Ingest Delays in Aggregate Alerts KB article.
searchIntervalSecondslongyes Search interval in seconds.
throttleFieldstring  A field to throttle on.
throttleTimeSecondslongyes Throttle time in seconds.
triggerModeTriggerModeyes Trigger mode used for triggering the alert. See TriggerMode and the FAQ: How Does LogScale Handle Ingest Delays in Aggregate Alerts KB article.
yamlTemplateyamlyes YAML specification of the aggregate alert.