Stability Level Long-Term
API Stability Long-Term

The disableAggregateAlertV2() GraphQL mutation is used to disable an aggregate alert.

The mutation field replaces disableAggregateAlert(), which is deprecated.

Syntax

Below is the syntax for the disableAggregateAlertV2() mutation field:

graphql
disableAggregateAlertV2(
       input: DisableAggregateAlert!
    ): AggregateAlert

Below is an example of how this mutation field might be used:

Raw
graphql
mutation {
  disableAggregateAlertV2( input: {
       viewName: "humio",
       id: "7Yekl392FPEWnbXTtg6IS5lKu3mdq"
  } )
  {name, enabled}
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  disableAggregateAlertV2( input: {
       viewName: \"humio\",
       id: \"7Yekl392FPEWnbXTtg6IS5lKu3mdq\"
  } )
  {name, enabled}
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  disableAggregateAlertV2( input: {
       viewName: \"humio\",
       id: \"7Yekl392FPEWnbXTtg6IS5lKu3mdq\"
  } )
  {name, enabled}
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  disableAggregateAlertV2( input: { ^
       viewName: \"humio\", ^
       id: \"7Yekl392FPEWnbXTtg6IS5lKu3mdq\" ^
  } ) ^
  {name, enabled} ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  disableAggregateAlertV2( input: {
       viewName: \"humio\",
       id: \"7Yekl392FPEWnbXTtg6IS5lKu3mdq\"
  } )
  {name, enabled}
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  disableAggregateAlertV2( input: {
       viewName: \"humio\",
       id: \"7Yekl392FPEWnbXTtg6IS5lKu3mdq\"
  } )
  {name, enabled}
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  disableAggregateAlertV2( input: {
       viewName: \"humio\",
       id: \"7Yekl392FPEWnbXTtg6IS5lKu3mdq\"
  } )
  {name, enabled}
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  disableAggregateAlertV2( input: {
       viewName: \"humio\",
       id: \"7Yekl392FPEWnbXTtg6IS5lKu3mdq\"
  } )
  {name, enabled}
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Example Responses
Success (HTTP Response Code 200 OK)
json
{
  "data": {
    "disableAggregateAlertV2": {
      "name": "Special Aggregator",
      "enabled": true
    }
  }
}

Given Datatypes

For the DisableAggregateAlert given datatype, there are a couple of parameters. Below is a list of them, along with a description of each.

Table: DisableAggregateAlert

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 18, 2024
idstringyes Long-TermThe unique identifier of the aggregate alert.
viewNameRepoOrViewNameyes Long-TermName of the view of the aggregate alert. RepoOrViewName is a scalar

Returned Datatypes

For AggregateAlert, there are several parameters that may be requested. Below is a list of them:

Table: AggregateAlert

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 30, 2025
actions[Action]yes Long-TermList of actions to fire on query result. See Action.
allowedActions[AssetAction]yes Short-TermList of actions allowed to fire on query result. See AssetAction .
createdInfoAssetCommitMetadata  Long-TermMetadata related to the creation of the aggregate alert. See AssetCommitMetadata.
descriptionstring  Long-TermDescription of the aggregate alert.
enabledbooleanyes Long-TermFlag indicating whether the aggregate alert is enabled.
idstringyes Long-TermUnique identifier of of the aggregate alert.
labels[string]yes Long-TermLabels attached to the aggregate alert.
lastErrorstring  Long-TermLast error encountered while running the aggregate alert.
lastSuccessfulPolllong  Long-TermUnix timestamp for last successful poll of the aggregate alert query. If this isn't very recent, the alert might have problems.
lastTriggeredlong  Long-TermUnix timestamp for last execution of trigger.
lastWarnings[string]yes Long-TermLast warnings encountered while running the aggregate alert.
modifiedInfoModifiedInfoyes Long-TermUser or token used to modify the asset. See ModifiedInfo.
namestringyes Long-TermName of the aggregate alert.
packagePackageInstallation  Long-TermThe package of which the aggregate alert was installed. See PackageInstallation.
packageIdVersionedPackageSpecifier  Long-TermThe unique identifier of the package of the aggregate alert template. VersionedPackageSpecifier is a scalar.
queryOwnershipQueryOwnershipyes Long-TermOwnership of the query run by this alert. See QueryOwnership.
queryStringstringyes Long-TermLogScale query to execute.
queryTimestampTypeQueryTimestampTypeyes Long-TermTimestamp type to use for a query. See QueryTimestampType and the FAQ: How to handle ingest delays in aggregate alerts and scheduled searches KB article.
resourcestringyes Short-TermThe resource identifier for the aggregate alert.
searchIntervalSecondslongyes Long-TermSearch interval in seconds.
throttleFieldstring  Long-TermA field to throttle on.
throttleTimeSecondslongyes Long-TermThrottle time in seconds.
triggerModeTriggerModeyes Long-TermTrigger mode used for triggering the alert. See TriggerMode and the FAQ: How to handle ingest delays in aggregate alerts and scheduled searches KB article.
yamlTemplateYAMLyes Long-TermThe yaml specification of the aggregate alert. YAML is a scalar.