Stability Level Long-Term
API Stability Long-Term

The enableAggregateAlertV2() GraphQL mutation is used to enable an aggregate alert.

The mutation field replaces enableAggregateAlert(), which is deprecated.

Syntax

Below is the syntax for the enableAggregateAlertV2() mutation field:

graphql
enableAggregateAlertV2(
       input: EnableAggregateAlert!
    ): AggregateAlert

Below is an example of how this mutation field might be used:

Raw
graphql
mutation {
  enableAggregateAlertV2( input:
    { viewName: "humio"
      id: "abc123" }
  )
  { id, enabled }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  enableAggregateAlertV2( input:
    { viewName: \"humio\"
      id: \"abc123\" }
  )
  { id, enabled }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  enableAggregateAlertV2( input:
    { viewName: \"humio\"
      id: \"abc123\" }
  )
  { id, enabled }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  enableAggregateAlertV2( input: ^
    { viewName: \"humio\" ^
      id: \"abc123\" } ^
  ) ^
  { id, enabled } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  enableAggregateAlertV2( input:
    { viewName: \"humio\"
      id: \"abc123\" }
  )
  { id, enabled }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  enableAggregateAlertV2( input:
    { viewName: \"humio\"
      id: \"abc123\" }
  )
  { id, enabled }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  enableAggregateAlertV2( input:
    { viewName: \"humio\"
      id: \"abc123\" }
  )
  { id, enabled }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  enableAggregateAlertV2( input:
    { viewName: \"humio\"
      id: \"abc123\" }
  )
  { id, enabled }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Example Responses
Success (HTTP Response Code 200 OK)
json
{
  "data": {
    "enableAggregateAlertV2": {
      "id": "abc123",
      "enabled": true
    }
  }
}

Given Datatypes

For the EnableAggregateAlert given datatype, there are a few parameters. Below is a list of them, along with a description of each.

Table: EnableAggregateAlert

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Sep 18, 2024
idstringyes Long-TermThe unique identifier of the aggregate alert.
viewNameRepoOrViewNameyes Long-TermName of the view of the aggregate alert. RepoOrViewName is a scalar.

Returned Datatypes

For AggregateAlert, there are several parameters that may be requested. Below is a list of them:

Table: AggregateAlert

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Sep 30, 2025
actions[Action]yes Long-TermList of actions to fire on query result. See Action.
allowedActions[AssetAction]yes Short-TermList of actions allowed to fire on query result. See AssetAction .
createdInfoAssetCommitMetadata  Long-TermMetadata related to the creation of the aggregate alert. See AssetCommitMetadata.
descriptionstring  Long-TermDescription of the aggregate alert.
enabledbooleanyes Long-TermFlag indicating whether the aggregate alert is enabled.
idstringyes Long-TermUnique identifier of of the aggregate alert.
labels[string]yes Long-TermLabels attached to the aggregate alert.
lastErrorstring  Long-TermLast error encountered while running the aggregate alert.
lastSuccessfulPolllong  Long-TermUnix timestamp for last successful poll of the aggregate alert query. If this isn't very recent, the alert might have problems.
lastTriggeredlong  Long-TermUnix timestamp for last execution of trigger.
lastWarnings[string]yes Long-TermLast warnings encountered while running the aggregate alert.
modifiedInfoModifiedInfoyes Long-TermUser or token used to modify the asset. See ModifiedInfo.
namestringyes Long-TermName of the aggregate alert.
packagePackageInstallation  Long-TermThe package of which the aggregate alert was installed. See PackageInstallation.
packageIdVersionedPackageSpecifier  Long-TermThe unique identifier of the package of the aggregate alert template. VersionedPackageSpecifier is a scalar.
queryOwnershipQueryOwnershipyes Long-TermOwnership of the query run by this alert. See QueryOwnership.
queryStringstringyes Long-TermLogScale query to execute.
queryTimestampTypeQueryTimestampTypeyes Long-TermTimestamp type to use for a query. See QueryTimestampType and the FAQ: How to handle ingest delays in aggregate alerts and scheduled searches KB article.
resourcestringyes Short-TermThe resource identifier for the aggregate alert.
searchIntervalSecondslongyes Long-TermSearch interval in seconds.
throttleFieldstring  Long-TermA field to throttle on.
throttleTimeSecondslongyes Long-TermThrottle time in seconds.
triggerModeTriggerModeyes Long-TermTrigger mode used for triggering the alert. See TriggerMode and the FAQ: How to handle ingest delays in aggregate alerts and scheduled searches KB article.
yamlTemplateYAMLyes Long-TermThe yaml specification of the aggregate alert. YAML is a scalar.