API Stability Long-Term

The updateAlert() GraphQL mutation may be used to update an alert in LogScale.

For more information on alerts, see the Triggers documentation page.

Syntax

Below is the syntax for the updateAlert() mutation field:

graphql
updateAlert(
     input: UpdateAlert!
   ): Alert!

Below is an example of how this mutation field might be used:

Raw
graphql
mutation {
  updateAlert( input:
    {
      viewName: "humio",
      id: "abc123",
      name: "my-alert",
      queryString: "#kind=threaddumps | NOT \"(Native Method)\" | top(humioLine)",
      queryStart: "1day",
      throttleTimeMillis: 1000,
      actions: [ "wCU3ut8sXgVK7fW4wKkSwtdfHWlfkt0s" ],
      labels: [ "admin" ],
      enabled: false,
      queryOwnershipType: User
    }
  )
  { id }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  updateAlert( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"my-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      queryStart: \"1day\",
      throttleTimeMillis: 1000,
      actions: [ \"wCU3ut8sXgVK7fW4wKkSwtdfHWlfkt0s\" ],
      labels: [ \"admin\" ],
      enabled: false,
      queryOwnershipType: User
    }
  )
  { id }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  updateAlert( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"my-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      queryStart: \"1day\",
      throttleTimeMillis: 1000,
      actions: [ \"wCU3ut8sXgVK7fW4wKkSwtdfHWlfkt0s\" ],
      labels: [ \"admin\" ],
      enabled: false,
      queryOwnershipType: User
    }
  )
  { id }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  updateAlert( input: ^
    { ^
      viewName: \"humio\", ^
      id: \"abc123\", ^
      name: \"my-alert\", ^
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\", ^
      queryStart: \"1day\", ^
      throttleTimeMillis: 1000, ^
      actions: [ \"wCU3ut8sXgVK7fW4wKkSwtdfHWlfkt0s\" ], ^
      labels: [ \"admin\" ], ^
      enabled: false, ^
      queryOwnershipType: User ^
    } ^
  ) ^
  { id } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  updateAlert( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"my-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      queryStart: \"1day\",
      throttleTimeMillis: 1000,
      actions: [ \"wCU3ut8sXgVK7fW4wKkSwtdfHWlfkt0s\" ],
      labels: [ \"admin\" ],
      enabled: false,
      queryOwnershipType: User
    }
  )
  { id }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  updateAlert( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"my-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      queryStart: \"1day\",
      throttleTimeMillis: 1000,
      actions: [ \"wCU3ut8sXgVK7fW4wKkSwtdfHWlfkt0s\" ],
      labels: [ \"admin\" ],
      enabled: false,
      queryOwnershipType: User
    }
  )
  { id }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  updateAlert( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"my-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      queryStart: \"1day\",
      throttleTimeMillis: 1000,
      actions: [ \"wCU3ut8sXgVK7fW4wKkSwtdfHWlfkt0s\" ],
      labels: [ \"admin\" ],
      enabled: false,
      queryOwnershipType: User
    }
  )
  { id }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  updateAlert( input:
    {
      viewName: \"humio\",
      id: \"abc123\",
      name: \"my-alert\",
      queryString: \"#kind=threaddumps | NOT \\"(Native Method)\\" | top(humioLine)\",
      queryStart: \"1day\",
      throttleTimeMillis: 1000,
      actions: [ \"wCU3ut8sXgVK7fW4wKkSwtdfHWlfkt0s\" ],
      labels: [ \"admin\" ],
      enabled: false,
      queryOwnershipType: User
    }
  )
  { id }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();
Example Responses
Success (HTTP Response Code 200 OK)
json
{
  "updateAlert": {
    "id": "abc123"
    }
  }
}

Given Datatypes

For UpdateAlert, there are several parameters that may be given. Below is a list of them along with a description of each:

Table: UpdateAlert

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Mar 28, 2025
actions[string]yes Long-TermList of unique identifiers for actions to fire on query result.
descriptionstring  Long-TermA description of the alert.
enabledbooleanyes Long-TermA flag indicating whether the alert is enabled.
idstringyes Long-TermThe unique identifier of the alert.
labels[string]yes Long-TermLabels attached to the alert.
namestringyes Long-TermThe name of the alert.
queryOwnershipTypeQueryOwnershipTypeyesUserLong-TermThe ownership of the query run by this alert. If value is User, ownership will be based on the runAsUserId field. See QueryOwnershipType.
queryStartstringyes Long-TermThe start of the relative time interval for the query.
queryStringstringyes Long-TermThe LogScale query to execute.
runAsUserIdstring  Long-TermThe alert will run with the permissions of the user corresponding to this id if the queryOwnershipType field is set to User. If the queryOwnershipType is set to Organization, whilst runAsUserId is set, this will result in an error. If not specified, the alert will run with the permissions of the calling user. It requires the ChangeTriggersToRunAsOtherUsers permission to set this field to a user ID different from the calling user.
throttleFieldstring  Long-TermThe field on which to throttle.
throttleTimeMillislongyes Long-TermThrottle time in milliseconds.
viewNamestringyes Long-TermThe name of the view of the alert.

Returned Datatypes

The returned datatype Alert has several parameters. Below is a list of them along with a description of each:

Table: Alert

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 30, 2025
actionsstringyes Long-TermList of identifiers for actions to fire on query result.
actionsV2[Action]yes Long-TermList of unique identifiers for actions to fire on query result. See Action.
allowedActions[AssetAction]yes Short-TermList of allowed actions. See AssetAction .
createdInfoAssetCommitMetadata  Long-TermMetadata related to the creation of the alert. See AssetCommitMetadata.
descriptionstring  Long-TermDescription of alert.
displayNamestringyes Long-TermName of the alert.
enabledbooleanyes Long-TermFlag indicating whether the alert is enabled.
idstringyes Long-TermThe identifier of the alert.
isStarredbooleanyes Deprecated

Whether the calling user has starred the alert.

This has been deprecated and is no longer in use and has no effect. It will be removed in version 1.213.

labels[string]yes Long-TermLabels attached to the alert.
lastErrorstring  Long-TermLast error encountered while running the alert.
lastWarnings[string]yes Long-TermLast warnings encountered while running the alert.
namestringyes Long-TermThe name of the alert.
packagePackageInstallation  Long-TermA package installation. See PackageInstallation.
packageIdVersionedPackageSpecifier  Long-TermThe unique identifier of the package installed, if one was used. VersionedPackageSpecifier is a scalar.
queryOwnershipQueryOwnershipyes Long-TermOwnership of the query run by the alert. See QueryOwnership.
queryStartstringyes Long-TermStart of the relative time interval for the query.
queryStringstringyes Long-TermLogScale query to execute.
resourcestringyes Short-TermThe resource identifier for the alert.
runAsUserUser  Long-TermIdentifier of user by which the alert is run. See User.
throttleFieldstring  Long-TermField on which to throttle alert.
throttleTimeMillislongyes Long-TermThrottle time in milliseconds.
timeOfLastTriggerlong  Long-TermUNIX timestamp for when the alert was last triggered.
yamlTemplatestringyes Long-TermThe yaml formatted text that describes the alert. YAML is a scalar.