updateAggregateAlert()

API Stability	`Long-Term`

The updateAggregateAlert() GraphQL mutation is used to update an existing aggregate alert.

For more information on aggregate alerts, see the Aggregate alerts documentation page.

Syntax

Below is the syntax for the updateAggregateAlert() mutation field:

graphql

updateAggregateAlert(
      input: UpdateAggregateAlert!
   ): AggregateAlert!

Below is an example of how this mutation field might be used:

Show:

graphql

mutation {
  updateAggregateAlert( input:
    {
      viewName: "humio",
      id: "abc123",
      name: "our-aggregate-alert",
      queryString: "#kind=threaddumps | NOT \"(Native Method)\" | top(humioLine)",
      actionIdsOrNames: [ "act-one", "act-two" ],
      labels: [ "admin" ],
      enabled: false,
      throttleTimeSeconds: 100,
      searchIntervalSeconds: 10800,
      queryTimestampType: EventTimestamp,
      triggerMode: CompleteMode,
      queryOwnershipType: User
    }
  )
  { id }
}

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  updateAggregateAlert( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"our-aggregate-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      actionIdsOrNames: [ \"act-one\", \"act-two\" ],
      labels: [ \"admin\" ],
      enabled: false,
      throttleTimeSeconds: 100,
      searchIntervalSeconds: 10800,
      queryTimestampType: EventTimestamp,
      triggerMode: CompleteMode,
      queryOwnershipType: User
    }
  )
  { id }
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  updateAggregateAlert( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"our-aggregate-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      actionIdsOrNames: [ \"act-one\", \"act-two\" ],
      labels: [ \"admin\" ],
      enabled: false,
      throttleTimeSeconds: 100,
      searchIntervalSeconds: 10800,
      queryTimestampType: EventTimestamp,
      triggerMode: CompleteMode,
      queryOwnershipType: User
    }
  )
  { id }
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  updateAggregateAlert( input: ^
    { ^
      viewName: \"humio\", ^
      id: \"abc123\", ^
      name: \"our-aggregate-alert\", ^
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\", ^
      actionIdsOrNames: [ \"act-one\", \"act-two\" ], ^
      labels: [ \"admin\" ], ^
      enabled: false, ^
      throttleTimeSeconds: 100, ^
      searchIntervalSeconds: 10800, ^
      queryTimestampType: EventTimestamp, ^
      triggerMode: CompleteMode, ^
      queryOwnershipType: User ^
    } ^
  ) ^
  { id } ^
}" ^
} '

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  updateAggregateAlert( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"our-aggregate-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      actionIdsOrNames: [ \"act-one\", \"act-two\" ],
      labels: [ \"admin\" ],
      enabled: false,
      throttleTimeSeconds: 100,
      searchIntervalSeconds: 10800,
      queryTimestampType: EventTimestamp,
      triggerMode: CompleteMode,
      queryOwnershipType: User
    }
  )
  { id }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "mutation {
  updateAggregateAlert( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"our-aggregate-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      actionIdsOrNames: [ \"act-one\", \"act-two\" ],
      labels: [ \"admin\" ],
      enabled: false,
      throttleTimeSeconds: 100,
      searchIntervalSeconds: 10800,
      queryTimestampType: EventTimestamp,
      triggerMode: CompleteMode,
      queryOwnershipType: User
    }
  )
  { id }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  updateAggregateAlert( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"our-aggregate-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      actionIdsOrNames: [ \"act-one\", \"act-two\" ],
      labels: [ \"admin\" ],
      enabled: false,
      throttleTimeSeconds: 100,
      searchIntervalSeconds: 10800,
      queryTimestampType: EventTimestamp,
      triggerMode: CompleteMode,
      queryOwnershipType: User
    }
  )
  { id }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  updateAggregateAlert( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"our-aggregate-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      actionIdsOrNames: [ \"act-one\", \"act-two\" ],
      labels: [ \"admin\" ],
      enabled: false,
      throttleTimeSeconds: 100,
      searchIntervalSeconds: 10800,
      queryTimestampType: EventTimestamp,
      triggerMode: CompleteMode,
      queryOwnershipType: User
    }
  )
  { id }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Example Responses

Show:

json

{
  "updateAggregateAlert": {
    "id": "abc123"
    }
  }
}

Given Datatypes

For UpdateAggregateAlert, there are a few parameters. Below is a list of them along with a description of each:

Table: UpdateAggregateAlert

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 23, 2024
`actionIdsOrNames`	[string]	yes	`Long-Term`	List of ids or names for actions to fire on query result. Actions in packages can be referred to as 'packagescope/packagename:actionname'.
`enabled`	boolean	yes	`Long-Term`	Flag indicating whether the aggregate alert is enabled.
`description`	string		`Long-Term`	Description of the aggregate alert.
`id`	string	yes	`Long-Term`	The unique identifier of the aggregate alert.
`labels`	[string]	yes	`Long-Term`	Labels attached to the aggregate alert.
`name`	string	yes	`Long-Term`	Name of the aggregate alert.
`queryOwnershipType`	`QueryOwnershipType`	yes	`Long-Term`	Ownership of the query run by this aggregate alert. If value is `User`, ownership will be based on the `runAsUserId` field. See `queryOwnershipType`.
`queryString`	string	yes	`Long-Term`	LogScale query to execute.
`text`	`QueryTimestampType`		`Long-Term`	Timestamp type to use for a query. See `QueryTimestampType`.
`runAsUserId`	string		`Long-Term`	The aggregate alert will run with the permissions of the user corresponding to this id if the queryOwnershipType field is set to User. If the queryOwnershipType is set to Organization, whilst runAsUserId is set, this will result in an error. If not specified, the aggregate alert will run with the permissions of the calling user. It requires the 'ChangeTriggersToRunAsOtherUsers' permission to set this field to a user id different from the calling user.
`searchIntervalSeconds`	long	yes	`Long-Term`	Search interval in seconds. Valid values: 1-80 minutes in seconds divisible by 60 (60, 120, ..., 4800 seconds); 82-180 minutes in seconds divisible by 120 (4920, 5040, ..., 10800 seconds); and 4-24 hours in seconds divisible by 3600 (14400, 18000, ..., 86400 seconds).
`throttleField`	string	yes	`Long-Term`	A field to throttle on. Can only be set if throttleTimeSeconds is set.
`throttleTimeSeconds`	long	yes	`Long-Term`	Throttle time in seconds.
`triggerMode`	`TriggerMode`	yes	`Long-Term`	Trigger mode used for triggering the alert. See `TriggerMode`.
`viewName`	`RepoOrViewName`	yes	`Long-Term`	Name of the view of the aggregate alert. `RepoOrViewName` is a scalar.

Returned Datatypes

The returned datatype AggregateAlert has several parameters. Below is a list of them along with a description of each:

Table: AggregateAlert

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Mar 25, 2025
`actions`	[`action`]	yes	`Long-Term`	List of actions to fire on query result. See `Action`.
`allowedActions`	[`AssetAction`]	yes	`Preview`	List of actions allowed to fire on query result. See `AssetAction`.
`description`	string		`Long-Term`	Description of the aggregate alert.
`enabled`	boolean	yes	`Long-Term`	Flag indicating whether the aggregate alert is enabled.
`id`	string	yes	`Long-Term`	Unique identifier of of the aggregate alert.
`labels`	[string]	yes	`Long-Term`	Labels attached to the aggregate alert.
`lastError`	string		`Long-Term`	Last error encountered while running the aggregate alert.
`lastSuccessfulPoll`	long		`Long-Term`	Unix timestamp for last successful poll of the aggregate alert query. If this isn't very recent, the alert might have problems.
`lastTriggered`	long		`Long-Term`	Unix timestamp for last execution of trigger.
`lastWarnings`	[string]	yes	`Long-Term`	Last warnings encountered while running the aggregate alert.
`modifiedInfo`	`ModifiedInfo`	yes	`Preview`	Information about the aggregate alert that was modified. See `ModifiedInfo`.
`name`	string	yes	`Long-Term`	Name of the aggregate alert.
`package`	`PackageInstallation`		`Long-Term`	The package of which the aggregate alert was installed. See `PackageInstallation`.
`packageId`	`VersionedPackageSpecifier`		`Long-Term`	The unique identifier of the package of the aggregate alert template. `VersionedPackageSpecifier` is a scalar.
`queryOwnership`	`queryOwnership`	yes	`Long-Term`	Ownership of the query run by this alert. See `queryOwnership`.
`queryString`	string	yes	`Long-Term`	LogScale query to execute.
`queryTimestampType`	`QueryTimestampType`	yes	`Long-Term`	Timestamp type to use for a query. See `QueryTimestampType` and the FAQ: How Does LogScale Handle Ingest Delays in Aggregate Alerts KB article.
`resource`	string	yes	`Short-Term`	The resource identifier for the aggregate alert.
`searchIntervalSeconds`	long	yes	`Long-Term`	Search interval in seconds.
`throttleField`	string		`Long-Term`	A field to throttle on.
`throttleTimeSeconds`	long	yes	`Long-Term`	Throttle time in seconds.
`triggerMode`	`TriggerMode`	yes	`Long-Term`	Trigger mode used for triggering the alert. See `TriggerMode` and the FAQ: How Does LogScale Handle Ingest Delays in Aggregate Alerts KB article.
`yamlTemplate`	`yaml`	yes	`Long-Term`	YAML specification of the aggregate alert.

GraphQL Mutations

GraphQL API Stability

GraphQL Queries

GraphQL Datatypes