Security Requirements and Controls
API Stability Long-Term

The createAggregateAlert() GraphQL mutation is used to create an aggregate alert.

There are a few related mutations: updateAggregateAlertV2() to update an aggregate alert; disableAggregateAlertV2() and enableAggregateAlertV2() for disabling and enabling aggregate alerts; and deleteAggregateAlertV2() for deleting.

Hide Query Example

Show Aggregate Alerts Query

For a better understanding of aggregate alerts, see the Triggers page in the main documentation.

Syntax

graphql
createAggregateAlert(
      input: CreateAggregateAlert!
   ): AggregateAlert!

Example

Below is an example of how this mutation field might be used:

Raw
graphql
mutation {
  createAggregateAlert(input:
        {viewName: "humio", 
         name: "watch-for-sneak",
         queryString: "@host=*sneak*"
         actionIdsOrNames: "email-admin",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createAggregateAlert(input: ^
        {viewName: \"humio\",  ^
         name: \"watch-for-sneak\", ^
         queryString: \"@host=*sneak*\" ^
         actionIdsOrNames: \"email-admin\", ^
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000, ^
         queryTimestampType: EventTimestamp, ^
         queryOwnershipType: Organization ^
        } ) ^
  { id, name } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createAggregateAlert(input:
        {viewName: \"humio\", 
         name: \"watch-for-sneak\",
         queryString: \"@host=*sneak*\"
         actionIdsOrNames: \"email-admin\",
         throttleTimeSeconds: 100, searchIntervalSeconds: 18000,
         queryTimestampType: EventTimestamp,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Given Datatype

For this input datatype, you would provide the name of the view associated with the aggregate alert to create, the query string to execute, actions to take when the aggregate alert is triggered and a few other factors. These are listed and explained, along with other parameters, in the table below:

Table: CreateAggregateAlert

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Feb 10, 2026
actionIdsOrNames[string]yes Long-TermList of unique identifiers or names for actions to fire on query result. Actions in packages can be referred to as packagescope/packagename:actionname. The default value is an empty list of actions.
descriptionstring  Long-TermDescription of the aggregate alert.
enabledbooleanyestrueLong-TermFlag indicating whether the aggregate alert is enabled.
labels[string]yes[ ]Long-TermLabels attached to the aggregate alert. The default value is an empty list of labels.
namestringyes Long-TermName of the aggregate alert.
queryOwnershipTypeQueryOwnershipTypeyes Long-TermOwnership of the query run by this aggregate alert. If value is User, ownership will be based on the runAsUserId field. See QueryOwnershipType.
queryStringstringyes Long-TermThe LogScale query to execute.
queryTimestampTypeQueryTimestampTypeyes Long-TermTimestamp type to use for a query. See QueryTimestampType.
runAsUserIdstring  Long-TermThe aggregate alert will run with the permissions of the user corresponding to this id if the queryOwnershipType field is set to User. If the queryOwnershipType is set to Organization, whilst runAsUserId is set, this will result in an error. If not specified, the aggregate alert will run with the permissions of the calling user. It requires the ChangeTriggersToRunAsOtherUsers permission to set this field to a user id different from the calling user.
searchIntervalSecondslongyes Long-TermSearch interval in seconds. Valid values: 1-80 minutes in seconds divisible by 60 (60, 120, ..., 4800 seconds); 82-180 minutes in seconds divisible by 120 (4920, 5040, ..., 10800 seconds); and 4-24 hours in seconds divisible by 3600 (14400, 18000, ..., 86400 seconds).
throttleFieldstring  DeprecatedThe field on which to throttle. This can be set only if throttleTimeSeconds is set. Aggregate alerts now support multiple throttle fields. This field will be removed at the earliest in version 1.279. Use instead the throttleFields field.
throttleFields[string]  Long-TermThe fields on which to throttle. This can be set only if throttleTimeSeconds is set. Ten throttle fields can be added at most.
throttleTimeSecondslongyes Long-TermThrottle time in seconds.
triggerModeTriggerMode  Long-TermTrigger mode used for triggering the alert. See TriggerMode.
viewNameRepoOrViewNameyes Long-TermName of the view of the aggregate alert. RepoOrViewName is a scalar.

Returned Datatype

You can get the query string used by the aggregate alert, what actions are triggered, and the trigger mode (i.e., immediately or after certain amount of time to prevent over acting). These and other parameters are listed in the table below, along with links to related datatype tables.

Table: AggregateAlert

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Feb 10, 2026
actions[Action]yes Long-TermList of actions to fire on query result. See Action.
allowedActions[AssetAction]yes Short-TermList of actions allowed to fire on query result. See AssetAction .
createdInfoAssetCommitMetadata  Long-TermMetadata related to the creation of the aggregate alert. See AssetCommitMetadata.
descriptionstring  Long-TermDescription of the aggregate alert.
enabledbooleanyes Long-TermFlag indicating whether the aggregate alert is enabled.
idstringyes Long-TermUnique identifier of of the aggregate alert.
labels[string]yes Long-TermLabels attached to the aggregate alert.
lastErrorstring  Long-TermLast error encountered while running the aggregate alert.
lastSuccessfulPolllong  Long-TermUnix timestamp for last successful poll of the aggregate alert query. If this isn't very recent, the alert might have problems.
lastTriggeredlong  Long-TermUnix timestamp for last execution of trigger.
lastWarnings[string]yes Long-TermLast warnings encountered while running the aggregate alert.
modifiedInfoModifiedInfoyes Long-TermUser or token used to modify the asset. See ModifiedInfo.
namestringyes Long-TermName of the aggregate alert.
packagePackageInstallation  Long-TermThe package of which the aggregate alert was installed. See PackageInstallation.
packageIdVersionedPackageSpecifier  Long-TermThe unique identifier of the package of the aggregate alert template. VersionedPackageSpecifier is a scalar.
queryOwnershipQueryOwnershipyes Long-TermOwnership of the query run by this alert. See QueryOwnership.
queryStringstringyes Long-TermLogScale query to execute.
queryTimestampTypeQueryTimestampTypeyes Long-TermTimestamp type to use for a query. See QueryTimestampType and the FAQ: How to handle ingest delays in aggregate alerts and scheduled searches KB article.
resourcestringyes Short-TermThe resource identifier for the aggregate alert.
searchIntervalSecondslongyes Long-TermSearch interval in seconds.
throttleFieldstring  DeprecatedThe field on which to throttle. This can be set only if throttleTimeSeconds is set. Aggregate alerts now support multiple throttle fields. This field will be removed at the earliest in version 1.279. Use instead the throttleFields field.
throttleFields[string]  Long-TermThe fields on which to throttle. This can be set only if throttleTimeSeconds is set.
throttleTimeSecondslongyes Long-TermThrottle time in seconds.
triggerModeTriggerModeyes Long-TermTrigger mode used for triggering the alert. See TriggerMode and the FAQ: How to handle ingest delays in aggregate alerts and scheduled searches KB article.
yamlTemplateYAMLyes Long-TermThe yaml specification of the aggregate alert. YAML is a scalar.