updateAggregateAlertV2()

Stability Level

Long-Term

The updateAggregateAlertV2() GraphQL mutation is used to change an aggregate alert.

Related to this mutation is the createAggregateAlert() mutation to add a new aggregate alert, enableAggregateAlertV2() and disableAggregateAlertV2() to enable and disable an aggregate alert, and deleteAggregateAlertV2() to delete one.

Syntax

Below is the syntax for the updateAggregateAlertV2() mutation field:

graphql

updateAggregateAlertV2(
     input: UpdateAggregateAlertV2!
   ): AggregateAlert!

Below is an example of how you might use this mutation field:

Example

Below is an example of how you might use this mutation field:

Raw

graphql

mutation {
  updateAggregateAlertV2( input:
    {
      viewName: "humio",
      id: "abc123",
      name: "our-aggregate-alert",
      queryString: "#kind=threaddumps | NOT \"(Native Method)\" | top(humioLine)",
      actionIdsOrNames: [ "act-one", "act-two" ],
      labels: [ "admin" ],
      enabled: false,
      throttleTimeSeconds: 100,
      searchIntervalSeconds: 10800,
      queryTimestampType: EventTimestamp,
      triggerMode: CompleteMode,
      queryOwnershipType: User
    }
  )
  { id }
}

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  updateAggregateAlertV2( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"our-aggregate-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      actionIdsOrNames: [ \"act-one\", \"act-two\" ],
      labels: [ \"admin\" ],
      enabled: false,
      throttleTimeSeconds: 100,
      searchIntervalSeconds: 10800,
      queryTimestampType: EventTimestamp,
      triggerMode: CompleteMode,
      queryOwnershipType: User
    }
  )
  { id }
}"
}
EOF

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  updateAggregateAlertV2( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"our-aggregate-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      actionIdsOrNames: [ \"act-one\", \"act-two\" ],
      labels: [ \"admin\" ],
      enabled: false,
      throttleTimeSeconds: 100,
      searchIntervalSeconds: 10800,
      queryTimestampType: EventTimestamp,
      triggerMode: CompleteMode,
      queryOwnershipType: User
    }
  )
  { id }
}"
}
EOF

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  updateAggregateAlertV2( input: ^
    { ^
      viewName: \"humio\", ^
      id: \"abc123\", ^
      name: \"our-aggregate-alert\", ^
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\", ^
      actionIdsOrNames: [ \"act-one\", \"act-two\" ], ^
      labels: [ \"admin\" ], ^
      enabled: false, ^
      throttleTimeSeconds: 100, ^
      searchIntervalSeconds: 10800, ^
      queryTimestampType: EventTimestamp, ^
      triggerMode: CompleteMode, ^
      queryOwnershipType: User ^
    } ^
  ) ^
  { id } ^
}" ^
} '

Windows Powershell and curl

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  updateAggregateAlertV2( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"our-aggregate-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      actionIdsOrNames: [ \"act-one\", \"act-two\" ],
      labels: [ \"admin\" ],
      enabled: false,
      throttleTimeSeconds: 100,
      searchIntervalSeconds: 10800,
      queryTimestampType: EventTimestamp,
      triggerMode: CompleteMode,
      queryOwnershipType: User
    }
  )
  { id }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  updateAggregateAlertV2( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"our-aggregate-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      actionIdsOrNames: [ \"act-one\", \"act-two\" ],
      labels: [ \"admin\" ],
      enabled: false,
      throttleTimeSeconds: 100,
      searchIntervalSeconds: 10800,
      queryTimestampType: EventTimestamp,
      triggerMode: CompleteMode,
      queryOwnershipType: User
    }
  )
  { id }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  updateAggregateAlertV2( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"our-aggregate-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      actionIdsOrNames: [ \"act-one\", \"act-two\" ],
      labels: [ \"admin\" ],
      enabled: false,
      throttleTimeSeconds: 100,
      searchIntervalSeconds: 10800,
      queryTimestampType: EventTimestamp,
      triggerMode: CompleteMode,
      queryOwnershipType: User
    }
  )
  { id }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  updateAggregateAlertV2( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"our-aggregate-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      actionIdsOrNames: [ \"act-one\", \"act-two\" ],
      labels: [ \"admin\" ],
      enabled: false,
      throttleTimeSeconds: 100,
      searchIntervalSeconds: 10800,
      queryTimestampType: EventTimestamp,
      triggerMode: CompleteMode,
      queryOwnershipType: User
    }
  )
  { id }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Example Responses

Success (HTTP Response Code 200 OK)

json

{
  "updateAggregateAlertV2": {
    "id": "abc123"
    }
  }
}

Given Datatype

With the given datatype, you can choose which parameter of the aggregate alert you want to change, such as the actions to take when triggered — which is given by way of a list of IDs or names of those actions you want to use. Below is a list of the parameters for this datatype, along with a description of each.

Table: UpdateAggregateAlertV2

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Feb 9, 2026
actionIdsOrNames	[string]	yes	`Long-Term`	List of unique identifiers or names of actions to execute on query result. Ten can be added at most. Actions in packages can be referred to as `packagescope/packagename:actionname`.
description	string		`Long-Term`	A description of the aggregate alert.
enabled	boolean	yes	`Long-Term`	Whether the aggregate alert is enabled.
id	string	yes	`Long-Term`	The unique identifier of the aggregate alert.
labels	[string]	yes	`Long-Term`	The labels attached to the aggregate alert.
name	string	yes	`Long-Term`	The name of the aggregate alert.
queryOwnershipType	QueryOwnershipType	yes	`Long-Term`	The ownership of the query run by the aggregate alert. If set to `User`, ownership will be based on the runAsUserId field. See QueryOwnershipType.
queryString	string	yes	`Long-Term`	The LogScale query to execute.
queryTimestampType	QueryTimestampType	yes	`Long-Term`	The type of time stamp to use for the query. See QueryTimestampType for a list of choices.
runAsUserId	string		`Long-Term`	The aggregate alert will run with the permissions of the user given here queryOwnershipType is set to `User`. If it's set to `Organization`, along with this parameter, an error will occur. `ChangeTriggersToRunAsOtherUsers` permission is required to set this field.
searchIntervalSeconds	long	yes	`Long-Term`	The search interval to use in seconds. Valid values are 1-80 minutes in seconds divisible by 60, 82-180 minutes in seconds divisible by 120 and 4-24 hours in seconds divisible by 3600.
throttleFields	[string]	yes	`Long-Term`	The fields on which to throttle. This can be set only if throttleTimeSeconds is set. Ten throttle fields can be added at most.
throttleTimeSeconds	long	yes	`Long-Term`	The throttle time in seconds.
triggerMode	TriggerMode	yes	`Long-Term`	The mode used for triggering the alert. See TriggerMode.
viewName	RepoOrViewName	yes	`Long-Term`	The name of the view of the aggregate alert. RepoOrViewName is a scalar.

Returned Datatype

The returned datatype provides the LogScale query to execute, the actions to take, when the aggregate alert was last triggered, and other information on the aggregate alert. There are several parameters that may be requested. Below is a list of them:

Table: AggregateAlert

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Feb 10, 2026
`actions`	[`Action`]	yes	`Long-Term`	List of actions to fire on query result. See Action.
`allowedActions`	[`AssetAction`]	yes	`Short-Term`	List of actions allowed to fire on query result. See AssetAction .
`createdInfo`	`AssetCommitMetadata`		`Long-Term`	Metadata related to the creation of the aggregate alert. See AssetCommitMetadata.
`description`	string		`Long-Term`	Description of the aggregate alert.
`enabled`	boolean	yes	`Long-Term`	Flag indicating whether the aggregate alert is enabled.
`id`	string	yes	`Long-Term`	Unique identifier of of the aggregate alert.
`labels`	[string]	yes	`Long-Term`	Labels attached to the aggregate alert.
`lastError`	string		`Long-Term`	Last error encountered while running the aggregate alert.
`lastSuccessfulPoll`	long		`Long-Term`	Unix timestamp for last successful poll of the aggregate alert query. If this isn't very recent, the alert might have problems.
`lastTriggered`	long		`Long-Term`	Unix timestamp for last execution of trigger.
`lastWarnings`	[string]	yes	`Long-Term`	Last warnings encountered while running the aggregate alert.
`modifiedInfo`	`ModifiedInfo`	yes	`Long-Term`	User or token used to modify the asset. See ModifiedInfo.
`name`	string	yes	`Long-Term`	Name of the aggregate alert.
`package`	`PackageInstallation`		`Long-Term`	The package of which the aggregate alert was installed. See PackageInstallation.
`packageId`	`VersionedPackageSpecifier`		`Long-Term`	The unique identifier of the package of the aggregate alert template. VersionedPackageSpecifier is a scalar.
`queryOwnership`	`QueryOwnership`	yes	`Long-Term`	Ownership of the query run by this alert. See QueryOwnership.
`queryString`	string	yes	`Long-Term`	LogScale query to execute.
`queryTimestampType`	`QueryTimestampType`	yes	`Long-Term`	Timestamp type to use for a query. See QueryTimestampType and the FAQ: How to handle ingest delays in aggregate alerts and scheduled searches KB article.
`resource`	string	yes	`Short-Term`	The resource identifier for the aggregate alert.
`searchIntervalSeconds`	long	yes	`Long-Term`	Search interval in seconds.
`throttleField`	string		`Deprecated`	The field on which to throttle. This can be set only if throttleTimeSeconds is set. Aggregate alerts now support multiple throttle fields. This field will be removed at the earliest in version 1.279. Use instead the throttleFields field.
`throttleFields`	[string]		`Long-Term`	The fields on which to throttle. This can be set only if throttleTimeSeconds is set.
`throttleTimeSeconds`	long	yes	`Long-Term`	Throttle time in seconds.
`triggerMode`	`TriggerMode`	yes	`Long-Term`	Trigger mode used for triggering the alert. See TriggerMode and the FAQ: How to handle ingest delays in aggregate alerts and scheduled searches KB article.
`yamlTemplate`	`YAML`	yes	`Long-Term`	The yaml specification of the aggregate alert. YAML is a scalar.

Versions of this Page

GraphQL Mutations

GraphQL API Stability

GraphQL Queries

GraphQL Datatypes