generateAggregateAlertFromPackageTemplate()

API Stability Long-Term

The generateAggregateAlertFromPackageTemplate() GraphQL query field can generate an unsaved aggregate alert from a library package alert template.

This is a query, not a mutation. It will return only the information that you can use to create a new aggregate alert. You'll then have to use the mutation field, createAggregateAlert().

For more information on aggregate alerts, see the Aggregate Alerts documentation page.

Syntax

graphql

generateAggregateAlertFromPackageTemplate(
     input: GenerateAggregateAlertFromPackageTemplateInput!
   ): UnsavedAggregateAlert

For the input, you'll need to specify the name of the repository or view, the unique identifier for the package that contains the template, and the name of the template. For the results, you can request whatever you need to create a new aggregate alert (e.g., the query string, any actions). See the Return Datatype section for more possibilities.

Example

Below is an example of how this query field might be used:

Raw

graphql

query {
  generateAggregateAlertFromPackageTemplate(
    input: {viewName: "company-http", 
            packageId: "http-packers@1.23",
            templateName: "standard-aggregatealert-template"}
  ) {
    name, 
    description,
    throttleField,
    actions {
      id, name, isAllowedToRun
    }    
  }
}

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  generateAggregateAlertFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    throttleField,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}
EOF

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  generateAggregateAlertFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    throttleField,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}
EOF

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
  generateAggregateAlertFromPackageTemplate( ^
    input: {viewName: \"company-http\",  ^
            packageId: \"http-packers@1.23\", ^
            templateName: \"standard-aggregatealert-template\"} ^
  ) { ^
    name,  ^
    description, ^
    throttleField, ^
    actions { ^
      id, name, isAllowedToRun ^
    }     ^
  } ^
}" ^
} '

Windows Powershell and curl

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
  generateAggregateAlertFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    throttleField,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "query {
  generateAggregateAlertFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    throttleField,
    actions {
      id, name, isAllowedToRun
    }    
  }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
  generateAggregateAlertFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    throttleField,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
  generateAggregateAlertFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    throttleField,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

At this point, there may not be many or there may not be any packages with aggregate alert templates. So there are no results shown here and you may not find a use for this query field at this time.

Given Datatype

The input datatype described in the table below is used to specify the name of the repository or view, the unique identifier for the package that contains the template, and the name of the template for which you want to generate an aggregate alert.

Table: GenerateAggregateAlertFromPackageTemplateInput

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Sep 18, 2024
packageId	VersionedPackageSpecifier	yes	`Long-Term`	The unique identifier of the package of the aggregate alert template. VersionedPackageSpecifier is a scalar.
templateName	string	yes	`Long-Term`	The name of the aggregate alert template in the package.
viewName	RepoOrViewName	yes	`Long-Term`	Name of the view of the aggregate alert. RepoOrViewName is a scalar.

Returned Datatype

For the results, you can request what you need to create a new aggregate alert. At a minimum, you'll need the query string. You might want to look at any actions contained in the template, although you might want to change them to your needs. You may also want to consider what triggers it. Below is a list of your choices:

Table: UnsavedAggregateAlert

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Feb 10, 2026
actions	[Action]	yes	`Long-Term`	List of actions to fire on query result. See Action.
description	string		`Long-Term`	Description of the aggregate alert.
enabled	boolean	yes	`Long-Term`	Flag indicating whether the aggregate alert is enabled.
labels	[string]	yes	`Long-Term`	Labels attached to the aggregate alert.
name	string	yes	`Long-Term`	Name of the aggregate alert.
queryString	string	yes	`Long-Term`	The LogScale query to execute.
queryTimestampType	QueryTimestampType	yes	`Long-Term`	Timestamp type to use for a query. See QueryTimestampType.
searchIntervalSeconds	long	yes	`Long-Term`	The search interval in seconds.
throttleField	string		`Deprecated`	The field on which to throttle. This can be set only if throttleTimeSeconds is set. Aggregate alerts now support multiple throttle fields. This field will be removed at the earliest in version 1.279. Use instead the throttleFields field.
throttleFields	[string]		`Long-Term`	The fields on which to throttle. This can be set only if throttleTimeSeconds is set.
throttleTimeSeconds	long	yes	`Long-Term`	The throttle time in seconds.
triggerMode	TriggerMode	yes	`Long-Term`	The mode used for triggering the alert. See TriggerMode.

Versions of this Page

GraphQL Queries

GraphQL API Stability

GraphQL Mutations

GraphQL Datatypes