createFdrFeed()

API Stability	`Long-Term`

The createFdrFeed() GraphQL mutation field is used to create an FDR feed.

Syntax

Below is the syntax for the createFdrFeed() mutation field:

graphql

createFdrFeed(
       input: CreateFdrFeed!
    ): FdrFeed!

Below is an example of how this mutation field might be used:

Show:

graphql

mutation {
  createFdrFeed(input:
         {name: "my-fdr-feed",
          repositoryName: "humio",
          parser: "humio",
          clientId: "1234",
          clientSecret: "psst",
          sqsUrl: "https://fdr.company.com",
          s3Identifier: "xxxx",
          enabled: false
        }
    )
  { id, name, enabled }
}

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createFdrFeed(input: ^
         {name: \"my-fdr-feed\", ^
          repositoryName: \"humio\", ^
          parser: \"humio\", ^
          clientId: \"1234\", ^
          clientSecret: \"psst\", ^
          sqsUrl: \"https://fdr.company.com\", ^
          s3Identifier: \"xxxx\", ^
          enabled: false ^
        } ^
    ) ^
  { id, name, enabled } ^
}" ^
} '

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Given Datatypes

For CreateFdrFeed, there are a few parameters. Below is a list of them:

Table: CreateFdrFeed

Parameter	Type	Required	Default	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Mar 28, 2025
`clientId`	string	yes		The AWS client identifier of the FDR feed.
`clientSecret`	string	yes		The AWS client secret of the FDR feed.
`description`	string			A description of the FDR feed.
`enabled`	boolean	yes	true	Whether ingest from the FDR feed is enabled.
`name`	string	yes		The name of the FDR feed.
`parser`	string	yes		The unique identifier or name of the parser that should be used to parse the FDR data. We recommend using the FDR parser from the crowdstrike/fdr package, which can be referred to as crowdstrike/fdr:FDR.
`repositoryName`	string	yes		The name of the repository of the FDR feed.
`s3Identifier`	string	yes		The AWS S3 identifier of the FDR feed.
`sqsUrl`	string	yes		The AWS SQS queue URL of the FDR feed.

Returned Datatypes

As indicated by the syntax above, this mutation will return data using the datatype, FdrFeed. Below are the parameters of that datatype:

Table: FdrFeed

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 25, 2024
`clientId`	string	yes	`Long-Term`	The AWS client identifier of the FDR feed.
`description`	string		`Long-Term`	A description of the FDR feed.
`enabled`	boolean	yes	`Long-Term`	Whether ingest from the FDR feed is enabled.
`id`	string	yes	`Long-Term`	Unique identifier of the FDR feed.
`name`	string	yes	`Long-Term`	Name of the FDR feed.
`parserId`	string	yes	`Long-Term`	The unique identifier of the parser that is used to parse the FDR data.
`s3Identifier`	string	yes	`Long-Term`	The AWS S3 identifier of the FDR feed.
`sqsUrl`	string	yes	`Long-Term`	The AWS SQS queue URL of the FDR feed.

GraphQL Mutations

GraphQL API Stability

GraphQL Queries

GraphQL Datatypes

createFdrFeed()

Syntax

Given Datatypes

Returned Datatypes

Enter search term