updateFilterAlertV2()

Stability Level

Long-Term

The updateFilterAlertV2() GraphQL mutation is used to change a filter alert.

Related to this mutation is the createFilterAlert() mutation to add a new filter alert, enableFilterAlertV2() and disableFilterAlertV2() to enable and disable a filter alert, and deleteFilterAlertV2() to delete one.

Syntax

Below is the syntax for the updateFilterAlertV2() mutation field:

graphql

updateFilterAlertV2(
     input: UpdateFilterAlertV2!
   ): FilterAlert!

For the input you would provide whatever parameters you want to change. For instance, you might want to change the query that's executed by the filter alert. See the Given Datatype section for more choices.

For the results, you can get the query to execute, the actions to take, and other information on the filter alert. See the Returned Datatype section further down this page for more.

Example

Below is an example of how you might use this mutation field:

Raw

graphql

mutation {
  updateFilterAlertV2( input:
    {
       viewName: "humio",
       name: "Intruder",
       id: "abc123",
       queryString: "host=12.127.*",
       actionIdsOrNames: [ "WakeUp" ],
       labels: [],
       enabled: true,
       queryOwnershipType: Organization
    }
  )
  { id }
}

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  updateFilterAlertV2( input:
    {
       viewName: \"humio\",
       name: \"Intruder\",
       id: \"abc123\",
       queryString: \"host=12.127.*\",
       actionIdsOrNames: [ \"WakeUp\" ],
       labels: [],
       enabled: true,
       queryOwnershipType: Organization
    }
  )
  { id }
}"
}
EOF

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  updateFilterAlertV2( input:
    {
       viewName: \"humio\",
       name: \"Intruder\",
       id: \"abc123\",
       queryString: \"host=12.127.*\",
       actionIdsOrNames: [ \"WakeUp\" ],
       labels: [],
       enabled: true,
       queryOwnershipType: Organization
    }
  )
  { id }
}"
}
EOF

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  updateFilterAlertV2( input: ^
    { ^
       viewName: \"humio\", ^
       name: \"Intruder\", ^
       id: \"abc123\", ^
       queryString: \"host=12.127.*\", ^
       actionIdsOrNames: [ \"WakeUp\" ], ^
       labels: [], ^
       enabled: true, ^
       queryOwnershipType: Organization ^
    } ^
  ) ^
  { id } ^
}" ^
} '

Windows Powershell and curl

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  updateFilterAlertV2( input:
    {
       viewName: \"humio\",
       name: \"Intruder\",
       id: \"abc123\",
       queryString: \"host=12.127.*\",
       actionIdsOrNames: [ \"WakeUp\" ],
       labels: [],
       enabled: true,
       queryOwnershipType: Organization
    }
  )
  { id }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  updateFilterAlertV2( input:
    {
       viewName: \"humio\",
       name: \"Intruder\",
       id: \"abc123\",
       queryString: \"host=12.127.*\",
       actionIdsOrNames: [ \"WakeUp\" ],
       labels: [],
       enabled: true,
       queryOwnershipType: Organization
    }
  )
  { id }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  updateFilterAlertV2( input:
    {
       viewName: \"humio\",
       name: \"Intruder\",
       id: \"abc123\",
       queryString: \"host=12.127.*\",
       actionIdsOrNames: [ \"WakeUp\" ],
       labels: [],
       enabled: true,
       queryOwnershipType: Organization
    }
  )
  { id }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  updateFilterAlertV2( input:
    {
       viewName: \"humio\",
       name: \"Intruder\",
       id: \"abc123\",
       queryString: \"host=12.127.*\",
       actionIdsOrNames: [ \"WakeUp\" ],
       labels: [],
       enabled: true,
       queryOwnershipType: Organization
    }
  )
  { id }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Example Responses

Success (HTTP Response Code 200 OK)

json

{
  "data": {
    "updateFilterAlertV2": {
      "id": "abc123"
    }
  }
}

Given Datatype

With the given datatype, you can choose which parameter of the filter alert you want to change, such as the actions to take when triggered — which is given by way of a list of IDs or names of those actions you want to use. Below is a list of the parameters for this datatype, along with a description of each.

Table: UpdateFilterAlertV2

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Feb 9, 2026
actionIdsOrNames	[string]	yes	`Long-Term`	List of unique identifiers or names of actions to execute on query result. Ten can be added at most. Actions in packages can be referred to as `packagescope/packagename:actionname`.
description	string		`Long-Term`	A description of the filter alert.
enabled	boolean	yes	`Long-Term`	Whether the filter alert is enabled.
id	string	yes	`Long-Term`	The unique identifier of the filter alert.
labels	[string]	yes	`Long-Term`	The labels attached to the filter alert.
name	string	yes	`Long-Term`	The name of the filter alert.
queryOwnershipType	QueryOwnershipType	yes	`Long-Term`	The ownership of the query run by the filter alert. If set to `User`, ownership will be based on the runAsUserId field. See QueryOwnershipType.
queryString	string	yes	`Long-Term`	The LogScale query to execute.
runAsUserId	string	yes	`Long-Term`	The filter alert will run with the permissions of the user given here queryOwnershipType is set to `User`. If it's set to `Organization`, along with this parameter, an error will occur. `ChangeTriggersToRunAsOtherUsers` permission is required to set this field.
throttleFields	[string]	yes	`Long-Term`	The fields on which to throttle. This can be set only if throttleTimeSeconds is set. Ten throttle fields can be added at most.
throttleTimeSeconds	long		`Long-Term`	The throttle time in seconds.
viewName	RepoOrViewName	yes	`Long-Term`	The name of the view of the filter alert. RepoOrViewName is a scalar.

Returned Datatype

The returned datatype provides the LogScale query to execute, the actions to take, when the alert was last triggered, and other information on the filter alert. There are several parameters that may be requested. Below is a list of them:

Table: FilterAlert

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Feb 10, 2026
`actions`	[`Action`]	yes	`Long-Term`	List of unique identifiers for actions to fire on query result. See Action.
`allowedActions`	[`AssetAction`]	yes	`Short-Term`	List of actions allowed on which to filter query results. See AssetAction .
`createdInfo`	`AssetCommitMetadata`		`Long-Term`	Metadata related to the creation of the filter alert. See AssetCommitMetadata.
`description`	string		`Long-Term`	Description of the filter alert.
`enabled`	boolean	yes	`Long-Term`	Whether the filter alert is enabled.
`id`	string	yes	`Long-Term`	The unique identifier of the filter alert.
`labels`	[string]	yes	`Long-Term`	Labels attached to the filter alert.
`lastError`	string		`Long-Term`	Last error encountered while running the filter alert.
`lastErrorTime`	long		`Long-Term`	Unix timestamp for last error.
`lastSuccessfulPoll`	long		`Long-Term`	Unix timestamp for last successful poll of the filter alert query. If this is not quite recent, then the alert might be having problems.
`lastTriggered`	long		`Long-Term`	Unix timestamp for last execution of trigger.
`lastWarnings`	[string]	yes	`Long-Term`	Last warnings encountered while running the filter alert.
`modifiedInfo`	`ModifiedInfo`		`Long-Term`	User or token used to modify the asset. See ModifiedInfo. This is a preview and subject to change.
`name`	string	yes	`Long-Term`	The name of the filter alert.
`package`	`PackageInstallation`		`Long-Term`	The package of which the alert was installed. See PackageInstallation.
`packageId`	`VersionedPackageSpecifier`		`Long-Term`	The unique identifier of the package of which the alert was installed. VersionedPackageSpecifier is a scalar.
`queryOwnership`	`QueryOwnership`	yes	`Long-Term`	Ownership of the query run by this alert. See QueryOwnership.
`queryString`	string	yes	`Long-Term`	The LogScale query to execute.
`resource`	string	yes	`Short-Term`	The resource identifier for this filter alert.
`throttleField`	string		`Deprecated`	The field on which to throttle. This can be set only if throttleTimeSeconds is set. Filter alerts now support multiple throttle fields. This field will be removed at the earliest in version 1.279. Use instead the throttleFields field.
`throttleFields`	[string]		`Long-Term`	The fields on which to throttle. This can be set only if throttleTimeSeconds is set.
`throttleTimeSeconds`	long		`Long-Term`	The throttle time in seconds.
`yamlTemplate`	`YAML`	yes	`Long-Term`	The yaml specification of the filter alert. YAML is a scalar.

Versions of this Page

GraphQL Mutations

GraphQL API Stability

GraphQL Queries

GraphQL Datatypes