Security Requirements and Controls

Summary

The createAlert() GraphQL mutation is used to create an alert in LogScale.

API Stability Long-Term

Syntax

graphql
createAlert(
      input: CreateAlert!
   ): Alert!

For the input, you'll have to give the name of the view, the query string to execute, actions to take, etc. See the Input Parameters section for details.

For the results, you can get plenty on the alert. See the Returned Values section for what's available.

Example

Raw
graphql
mutation {
  createAlert(input:
        {viewName: "humio", 
         name: "sneak-alert",
         queryString: "@host=*sneak*"
         queryStart: "1day",
         actions: "email-admin",
         throttleTimeMillis: 180000,
         queryOwnershipType: Organization
        } )
  { id, name }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createAlert(input:
        {viewName: \"humio\", 
         name: \"sneak-alert\",
         queryString: \"@host=*sneak*\"
         queryStart: \"1day\",
         actions: \"email-admin\",
         throttleTimeMillis: 180000,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createAlert(input:
        {viewName: \"humio\", 
         name: \"sneak-alert\",
         queryString: \"@host=*sneak*\"
         queryStart: \"1day\",
         actions: \"email-admin\",
         throttleTimeMillis: 180000,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createAlert(input: ^
        {viewName: \"humio\",  ^
         name: \"sneak-alert\", ^
         queryString: \"@host=*sneak*\" ^
         queryStart: \"1day\", ^
         actions: \"email-admin\", ^
         throttleTimeMillis: 180000, ^
         queryOwnershipType: Organization ^
        } ) ^
  { id, name } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createAlert(input:
        {viewName: \"humio\", 
         name: \"sneak-alert\",
         queryString: \"@host=*sneak*\"
         queryStart: \"1day\",
         actions: \"email-admin\",
         throttleTimeMillis: 180000,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  createAlert(input:
        {viewName: \"humio\", 
         name: \"sneak-alert\",
         queryString: \"@host=*sneak*\"
         queryStart: \"1day\",
         actions: \"email-admin\",
         throttleTimeMillis: 180000,
         queryOwnershipType: Organization
        } )
  { id, name }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createAlert(input:
        {viewName: \"humio\", 
         name: \"sneak-alert\",
         queryString: \"@host=*sneak*\"
         queryStart: \"1day\",
         actions: \"email-admin\",
         throttleTimeMillis: 180000,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createAlert(input:
        {viewName: \"humio\", 
         name: \"sneak-alert\",
         queryString: \"@host=*sneak*\"
         queryStart: \"1day\",
         actions: \"email-admin\",
         throttleTimeMillis: 180000,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Example Responses
Success (HTTP Response Code 200 OK)
json
{
  "data": {
    "createAlert": {
      "id": "abc123",
      "name": "sneak-alert"
    }
  }
}

Input Parameters

For the input, you would provide the name of the view associated with the alert to create, the query string to execute, actions to take when the alert is triggered and a few other factors. These are listed and explained, along with other parameters, in the table below:

Table: CreateAlert Input Datatype

ParameterTypeRequiredDefaultStabilityDescription
Some input parameters may be required, as indicated in the Required column. For return values, this indicates that you are assured a value if the field is requested for the results.
Table last updated: Aug 18, 2025
actions[string]yes Long-TermList of unique identifiers of actions to execute on query result.
descriptionstringyes Long-TermDescription of the alert.
enabledbooleanyestrueLong-TermFlag indicating whether the alert is enabled.
labelsstringyes[ ]Long-TermLabels attached to the alert.
namestringyes Long-TermName of the alert.
queryOwnershipTypeQueryOwnershipType UserLong-TermOwnership of the query run by this alert. If value is User, ownership will be based on the runAsUserId field. See QueryOwnershipType.
queryStartstringyes Long-TermStart of the relative time interval for the query.
queryStringstringyes Long-TermLogScale query to execute.
runAsUserIdstring  Long-TermThe alert will run with the permissions of the user corresponding to this unique identifier if the queryOwnershipType field is set to User. If the queryOwnershipType is set to Organization, whilst this field is set, this will result in an error. If not specified, the alert will run with the permissions of the calling user. It requires the ChangeTriggersToRunAsOtherUsers permission to set this field to a user id different from the calling user.
throttleFieldstringyes Long-TermField on which to throttle.
throttleTimeMillisstringyes Long-TermThrottle time in milliseconds.
viewNamestringyes Long-TermName of the view of the alert.

Returned Values

You can get the query string used by the alert, what actions are triggered, and any error messages when it was last executed. These and are listed in the table below, along with links to related datatype tables.

Table: Alert Datatype

ParameterTypeRequiredDefaultStabilityDescription
Some input parameters may be required, as indicated in the Required column. For return values, this indicates that you are assured a value if the field is requested for the results.
Table last updated: Oct 29, 2025
actionsstringyes Long-TermList of identifiers for actions to fire on query result.
actionsV2[Action]yes Long-TermList of unique identifiers for actions to fire on query result. See Action.
allowedActions[AssetAction]yes Short-TermList of allowed actions. See AssetAction .
createdInfoAssetCommitMetadata  Long-TermMetadata related to the creation of the alert. See AssetCommitMetadata.
descriptionstring  Long-TermDescription of alert.
displayNamestringyes Long-TermName of the alert.
enabledbooleanyes Long-TermFlag indicating whether the alert is enabled.
idstringyes Long-TermThe identifier of the alert.
labels[string]yes Long-TermLabels attached to the alert.
lastErrorstring  Long-TermLast error encountered while running the alert.
lastWarnings[string]yes Long-TermLast warnings encountered while running the alert.
namestringyes Long-TermThe name of the alert.
packagePackageInstallation  Long-TermA package installation. See PackageInstallation.
packageIdVersionedPackageSpecifier  Long-TermThe unique identifier of the package installed, if one was used. VersionedPackageSpecifier is a scalar.
queryOwnershipQueryOwnershipyes Long-TermOwnership of the query run by the alert. See QueryOwnership.
queryStartstringyes Long-TermStart of the relative time interval for the query.
queryStringstringyes Long-TermLogScale query to execute.
resourcestringyes Short-TermThe resource identifier for the alert.
runAsUserUser  Long-TermIdentifier of user by which the alert is run. See User.
throttleFieldstring  Long-TermField on which to throttle alert.
throttleTimeMillislongyes Long-TermThrottle time in milliseconds.
timeOfLastTriggerlong  Long-TermUNIX timestamp for when the alert was last triggered.
yamlTemplatestringyes Long-TermThe yaml formatted text that describes the alert.