createFilterAlert()

API Stability	`Long-Term`

The createFilterAlert() GraphQL mutation may be used to create a filter alert.

For more information on filter alerts, see the Filter alerts documentation page.

Syntax

Below is the syntax for the createFilterAlert() mutation field:

graphql

createFilterAlert(
      input: CreateFilterAlert!
   ): FilterAlert!

Below is an example of how this mutation field might be used:

Show:

graphql

mutation {
  createFilterAlert(input:
      { viewName: "humio",
        name: "rose-alert",
        queryString: "@host=localhost",
        actionIdsOrNames: "email-admin",
        queryOwnershipType: Organization
      } )
  { id }
}

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createFilterAlert(input:
      { viewName: \"humio\",
        name: \"rose-alert\",
        queryString: \"@host=localhost\",
        actionIdsOrNames: \"email-admin\",
        queryOwnershipType: Organization
      } )
  { id }
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createFilterAlert(input:
      { viewName: \"humio\",
        name: \"rose-alert\",
        queryString: \"@host=localhost\",
        actionIdsOrNames: \"email-admin\",
        queryOwnershipType: Organization
      } )
  { id }
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createFilterAlert(input: ^
      { viewName: \"humio\", ^
        name: \"rose-alert\", ^
        queryString: \"@host=localhost\", ^
        actionIdsOrNames: \"email-admin\", ^
        queryOwnershipType: Organization ^
      } ) ^
  { id } ^
}" ^
} '

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createFilterAlert(input:
      { viewName: \"humio\",
        name: \"rose-alert\",
        queryString: \"@host=localhost\",
        actionIdsOrNames: \"email-admin\",
        queryOwnershipType: Organization
      } )
  { id }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "mutation {
  createFilterAlert(input:
      { viewName: \"humio\",
        name: \"rose-alert\",
        queryString: \"@host=localhost\",
        actionIdsOrNames: \"email-admin\",
        queryOwnershipType: Organization
      } )
  { id }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createFilterAlert(input:
      { viewName: \"humio\",
        name: \"rose-alert\",
        queryString: \"@host=localhost\",
        actionIdsOrNames: \"email-admin\",
        queryOwnershipType: Organization
      } )
  { id }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createFilterAlert(input:
      { viewName: \"humio\",
        name: \"rose-alert\",
        queryString: \"@host=localhost\",
        actionIdsOrNames: \"email-admin\",
        queryOwnershipType: Organization
      } )
  { id }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Example Responses

Show:

json

{
  "data": {
    "createFilterAlert": {
      "id": "yMwt58cLfnSpWtFPWGdCBKsfXf7D4mnP"
    }
  }
}

Given Datatypes

For CreateFilterAlert, there are several parameters. Below is a list of them:

Table: CreateFilterAlert

Parameter	Type	Required	Default	Stability	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Mar 28, 2025
`actionIdsOrNames`	[string]	yes		`Long-Term`	List of unique identifiers or names for actions to fire on query result. Actions in packages can be referred to as `packagescope/packagename:actionname`.
`description`	string	yes		`Long-Term`	Description of the filter alert.
`enabled`	boolean		true	`Long-Term`	Flag indicating whether the filter alert is enabled.
`labels`	[string]	yes	[ ]	`Long-Term`	Labels attached to the filter alert.
`name`	string	yes		`Long-Term`	Name of the filter alert.
`queryOwnershipType`	`QueryOwnershipType`	yes		`Long-Term`	Ownership of the query run by this filter alert. If value is User, ownership will be based on the runAsUserId field. See `QueryOwnershipType`.
`queryString`	string	yes		`Long-Term`	LogScale query to execute.
`runAsUserId`	string			`Long-Term`	The filter alert will run with the permissions of the user corresponding to this id if the queryOwnershipType field is set to User. If the queryOwnershipType is set to Organization, whilst runAsUserId is set, this will result in an error. If not specified, the filter alert will run with the permissions of the calling user. It requires the 'ChangeTriggersToRunAsOtherUsers' permission to set this field to a user id different from the calling user.
`throttleField`	string			`Long-Term`	A field to throttle on. Can only be set if throttleTimeSeconds is set.
`throttleTimeSeconds`	long			`Long-Term`	Throttle time in seconds.
`viewName`	`RepoOrViewName`	yes		`Long-Term`	Name of the view of the filter alert. `RepoOrViewName` is a scalar.

Returned Datatypes

The returned datatype FilterAlert also has several parameters. Below is a list of them along with descriptions of each:

Table: FilterAlert

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Mar 26, 2025
`actions`	[`Action`]	yes	`Long-Term`	List of unique identifiers for actions to fire on query result. See `Action`.
`allowedActions`	[`AssetAction`]	yes	`Preview`	List of actions allowed on which to filter query results. See `AssetAction`.
`description`	string		`Long-Term`	Description of the filter alert.
`enabled`	boolean	yes	`Long-Term`	Whether the filter alert is enabled.
`id`	string	yes	`Long-Term`	The unique identifier of the filter alert.
`labels`	[string]	yes	`Long-Term`	Labels attached to the filter alert.
`lastError`	string		`Long-Term`	Last error encountered while running the filter alert.
`lastErrorTime`	long		`Long-Term`	Unix timestamp for last error.
`lastSuccessfulPoll`	long		`Long-Term`	Unix timestamp for last successful poll of the filter alert query. If this is not quite recent, then the alert might be having problems.
`lastTriggered`	long		`Long-Term`	Unix timestamp for last execution of trigger.
`lastWarnings`	[string]	yes	`Long-Term`	Last warnings encountered while running the filter alert.
`modifiedInfo`	`modifiedInfo`		`Long-Term`	User or token used to modify the asset. See `ModifiedInfo`. This is a preview and subject to change.
`name`	string	yes	`Long-Term`	The name of the filter alert.
`package`	`PackageInstallation`		`Long-Term`	The package of which the alert was installed. See `PackageInstallation`.
`packageId`	`VersionedPackageSpecifier`		`Long-Term`	The unique identifier of the package of which the alert was installed. `VersionedPackageSpecifier` is a scalar.
`queryOwnership`	`queryOwnership`	yes	`Long-Term`	Ownership of the query run by this alert. See `QueryOwnership`.
`queryString`	string	yes	`Long-Term`	The LogScale query to execute.
`resource`	string	yes	`Short-Term`	The resource identifier for this filter alert.
`throttleField`	string		`Long-Term`	A field to throttle on. Can only be set if throttleTimeSeconds is set.
`throttleTimeSeconds`	long		`Long-Term`	The throttle time in seconds.
`yamlTemplate`	`yaml`	yes	`Long-Term`	YAML specification of the filter alert.

GraphQL Mutations

GraphQL API Stability

GraphQL Queries

GraphQL Datatypes