The createFilterAlert() GraphQL mutation may be used to create a filter alert.

For more information on filter alerts, see the Filter Alerts documentation page.

Syntax

Below is the syntax for the createFilterAlert() mutation field:

graphql
createFilterAlert(
      input: CreateFilterAlert!
   ): FilterAlert!

Below is an example of how this mutation field might be used:

Raw
graphql
mutation {
  createFilterAlert(input:
      { viewName: "humio",
        name: "rose-alert",
        queryString: "@host=localhost",
        actionIdsOrNames: "email-admin",
        queryOwnershipType: Organization
      } )
  { id }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createFilterAlert(input:
      { viewName: \"humio\",
        name: \"rose-alert\",
        queryString: \"@host=localhost\",
        actionIdsOrNames: \"email-admin\",
        queryOwnershipType: Organization
      } )
  { id }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createFilterAlert(input:
      { viewName: \"humio\",
        name: \"rose-alert\",
        queryString: \"@host=localhost\",
        actionIdsOrNames: \"email-admin\",
        queryOwnershipType: Organization
      } )
  { id }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createFilterAlert(input: ^
      { viewName: \"humio\", ^
        name: \"rose-alert\", ^
        queryString: \"@host=localhost\", ^
        actionIdsOrNames: \"email-admin\", ^
        queryOwnershipType: Organization ^
      } ) ^
  { id } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createFilterAlert(input:
      { viewName: \"humio\",
        name: \"rose-alert\",
        queryString: \"@host=localhost\",
        actionIdsOrNames: \"email-admin\",
        queryOwnershipType: Organization
      } )
  { id }
}"
}'
"$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "mutation {
  createFilterAlert(input:
      { viewName: \"humio\",
        name: \"rose-alert\",
        queryString: \"@host=localhost\",
        actionIdsOrNames: \"email-admin\",
        queryOwnershipType: Organization
      } )
  { id }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createFilterAlert(input:
      { viewName: \"humio\",
        name: \"rose-alert\",
        queryString: \"@host=localhost\",
        actionIdsOrNames: \"email-admin\",
        queryOwnershipType: Organization
      } )
  { id }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createFilterAlert(input:
      { viewName: \"humio\",
        name: \"rose-alert\",
        queryString: \"@host=localhost\",
        actionIdsOrNames: \"email-admin\",
        queryOwnershipType: Organization
      } )
  { id }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Example Responses
Success (HTTP Response Code 200 OK)
json
{
  "data": {
    "createFilterAlert": {
      "id": "yMwt58cLfnSpWtFPWGdCBKsfXf7D4mnP"
    }
  }
}

Given Datatypes

For the input CreateFilterAlert, there are several parameters. Below is a list of them:

Table: CreateFilterAlert

ParameterTypeRequiredDefaultDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 17, 2024
actionIdsOrNames[string]yes List of unique identifiers or names for actions to fire on query result. Actions in packages can be referred to as packagescope/packagename:actionname.
descriptionstringyes Description of the filter alert.
enabledboolean  Flag indicating whether the filter alert is enabled.
labels[string]yes Labels attached to the filter alert.
namestringyes Name of the filter alert.
queryOwnershipTypeQueryOwnershipTypeyes Ownership of the query run by this filter alert. If value is User, ownership will be based on the runAsUserId field. See QueryOwnershipType.
queryStringstringyes LogScale query to execute.
runAsUserIdstring  The filter alert will run with the permissions of the user corresponding to this id if the queryOwnershipType field is set to User. If the queryOwnershipType is set to Organization, whilst runAsUserId is set, this will result in an error. If not specified, the filter alert will run with the permissions of the calling user. It requires the 'ChangeTriggersToRunAsOtherUsers' permission to set this field to a user id different from the calling user.
throttleFieldstring  A field to throttle on. Can only be set if throttleTimeSeconds is set.
throttleTimeSecondslong  Throttle time in seconds.
viewNameRepoOrViewNameyes Name of the view of the filter alert. RepoOrViewName is a scalar.

Returned Datatypes

The returned datatype FilterAlert also has several parameters. Below is a list of them along with descriptions of each:

Table: FilterAlert

ParameterTypeRequiredDefaultDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
actions[Action]yes List of unique identifiers for actions to fire on query result. See Action.
allowedActions[AssetAction]yes List of actions allowed on which to filter query results. See AssetAction.
descriptionstring  Description of the filter alert.
enabledbooleanyes Whether the filter alert is enabled.
idstringyes The unique identifier of the filter alert.
labels[string]yes Labels attached to the filter alert.
lastErrorstring  Last error encountered while running the filter alert.
lastErrorTimelong  Unix timestamp for last error.
lastSuccessfulPolllong  Unix timestamp for last successful poll of the filter alert query. If this is not quite recent, then the alert might be having problems.
lastTriggeredlong  Unix timestamp for last execution of trigger.
lastWarnings[string]yes Last warnings encountered while running the filter alert.
modifiedInfoModifiedInfo  User or token used to modify the asset. See ModifiedInfo. This is a preview and subject to change.
namestringyes The name of the filter alert.
packagePackageInstallation  The package of which the alert was installed. See PackageInstallation.
packageIdVersionedPackageSpecifier  The unique identifier of the package of which the alert was installed. VersionedPackageSpecifier is a scalar.
queryOwnershipQueryOwnershipyes Ownership of the query run by this alert. See QueryOwnership.
queryStringstringyes The LogScale query to execute.
throttleFieldstring  A field to throttle on. Can only be set if throttleTimeSeconds is set.
throttleTimeSecondslong  The throttle time in seconds.
yamlTemplateyamlyes YAML specification of the filter alert.