createAlert()

API Stability	`Long-Term`

The createAlert() GraphQL mutation is used to create an alert in LogScale.

For more information on creating alerts, see the Create triggers documentation page. You may also want to look at the Triggers page for related information.

Syntax

Below is the syntax for the createAlert() mutation field:

graphql

createAlert(
      input: CreateAlert!
   ): Alert!

Below is an example of how this mutation field might be used:

Show:

graphql

mutation {
  createAlert(input:
        {viewName: "humio", 
         name: "sneak-alert",
         queryString: "@host=*sneak*"
         queryStart: "1day",
         actions: "email-admin",
         throttleTimeMillis: 180000,
         queryOwnershipType: Organization
        } )
  { id, name }
}

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createAlert(input:
        {viewName: \"humio\", 
         name: \"sneak-alert\",
         queryString: \"@host=*sneak*\"
         queryStart: \"1day\",
         actions: \"email-admin\",
         throttleTimeMillis: 180000,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createAlert(input:
        {viewName: \"humio\", 
         name: \"sneak-alert\",
         queryString: \"@host=*sneak*\"
         queryStart: \"1day\",
         actions: \"email-admin\",
         throttleTimeMillis: 180000,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createAlert(input: ^
        {viewName: \"humio\",  ^
         name: \"sneak-alert\", ^
         queryString: \"@host=*sneak*\" ^
         queryStart: \"1day\", ^
         actions: \"email-admin\", ^
         throttleTimeMillis: 180000, ^
         queryOwnershipType: Organization ^
        } ) ^
  { id, name } ^
}" ^
} '

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createAlert(input:
        {viewName: \"humio\", 
         name: \"sneak-alert\",
         queryString: \"@host=*sneak*\"
         queryStart: \"1day\",
         actions: \"email-admin\",
         throttleTimeMillis: 180000,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "mutation {
  createAlert(input:
        {viewName: \"humio\", 
         name: \"sneak-alert\",
         queryString: \"@host=*sneak*\"
         queryStart: \"1day\",
         actions: \"email-admin\",
         throttleTimeMillis: 180000,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createAlert(input:
        {viewName: \"humio\", 
         name: \"sneak-alert\",
         queryString: \"@host=*sneak*\"
         queryStart: \"1day\",
         actions: \"email-admin\",
         throttleTimeMillis: 180000,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createAlert(input:
        {viewName: \"humio\", 
         name: \"sneak-alert\",
         queryString: \"@host=*sneak*\"
         queryStart: \"1day\",
         actions: \"email-admin\",
         throttleTimeMillis: 180000,
         queryOwnershipType: Organization
        } )
  { id, name }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Example Responses

Show:

json

{
  "data": {
    "createAlert": {
      "id": "KgWTtXgAwdIGngp3vQ0HTlyefUAWhMXf",
      "name": "sneak-alert"
    }
  }
}

Given Datatypes

For createAlert, there are several parameters that may be given. Below is a list of them along with a description of each:

Table: CreateAlert

Parameter	Type	Required	Default	Stability	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Mar 28, 2025
`actions`	[string]	yes		`Long-Term`	List of unique identifiers of actions to execute on query result.
`description`	string	yes		`Long-Term`	Description of the alert.
`enabled`	boolean	yes	true	`Long-Term`	Flag indicating whether the alert is enabled.
`labels`	boolean	yes	[ ]	`Long-Term`	Labels attached to the alert.
`name`	string	yes		`Long-Term`	Name of the alert.
`queryOwnershipType`	`QueryOwnershipType`		User	`Long-Term`	Ownership of the query run by this alert. If value is User, ownership will be based on the runAsUserId field. See `QueryOwnershipType`.
`queryStart`	string	yes		`Long-Term`	Start of the relative time interval for the query.
`queryString`	string	yes		`Long-Term`	LogScale query to execute.
`runAsUserId`	string			`Long-Term`	The alert will run with the permissions of the user corresponding to this ID if the queryOwnershipType field is set to User. If the queryOwnershipType is set to Organization, whilst runAsUserId is set, this will result in an error. If not specified, the alert will run with the permissions of the calling user. It requires the 'ChangeTriggersToRunAsOtherUsers' permission to set this field to a user id different from the calling user.
`throttleField`	string	yes		`Long-Term`	Field on which to throttle.
`throttleTimeMillis`	string	yes		`Long-Term`	Throttle time in milliseconds.
`viewName`	string	yes		`Long-Term`	Name of the view of the alert.

Returned Datatypes

The returned datatype alert) has several parameters. Below is a list of them along with a description of each:

Table: Alert

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Mar 28, 2025
`actions`	string	yes	`Long-Term`	List of identifiers for actions to fire on query result.
`actionsV2`	[`Action`]	yes	`Long-Term`	List of unique identifiers for actions to fire on query result. See `Action`.
`allowedActions`	[`AssetAction`]	yes	`Preview`	List of allowed actions. The is a preview; it may be changed. See `AssetAction`.
`description`	string		`Long-Term`	Description of alert.
`displayName`	string	yes	`Long-Term`	Name of the alert.
`enabled`	boolean	yes	`Long-Term`	Flag indicating whether the alert is enabled.
`id`	string	yes	`Long-Term`	The identifier of the alert.
`isStarred`	boolean	yes	`Long-Term`	Whether the calling user has starred the alert. This has been deprecated and is no longer in use and has no effect. It will be removed in version 1.213.
`labels`	[string]	yes	`Long-Term`	Labels attached to the alert.
`lastError`	string		`Long-Term`	Last error encountered while running the alert.
`lastWarnings`	[string]	yes	`Long-Term`	Last warnings encountered while running the alert.
`name`	string	yes	`Long-Term`	The name of the alert.
`package`	`PackageInstallation`		`Long-Term`	A package installation. See `PackageInstallation`.
`packageId`	`VersionedPackageSpecifier`		`Long-Term`	The unique identifier of the package installed, if one was used. `VersionedPackageSpecifier` is a scalar.
`queryOwnership`	`QueryOwnership`	yes	`Long-Term`	Ownership of the query run by the alert. See `QueryOwnership`.
`queryStart`	string	yes	`Long-Term`	Start of the relative time interval for the query.
`queryString`	string	yes	`Long-Term`	LogScale query to execute.
`resource`	string	yes	`Short-Term`	The resource identifier for the alert.
`runAsUser`	`User`		`Long-Term`	Identifier of user by which the alert is run. See `User`.
`throttleField`	string		`Long-Term`	Field on which to throttle alert.
`throttleTimeMillis`	long	yes	`Long-Term`	Throttle time in milliseconds.
`timeOfLastTrigger`	long		`Long-Term`	UNIX timestamp for when the alert was last triggered.
`yamlTemplate`	string	yes	`Long-Term`	A YAML formatted string that describes the alert.

GraphQL Mutations

GraphQL API Stability

GraphQL Queries

GraphQL Datatypes

createAlert()

Syntax

Given Datatypes

Returned Datatypes

Enter search term