generateAggregateAlertFromTemplate()

API Stability Long-Term

A yaml template can contain plenty of data, including the details for an aggregate alert. You can use the generateAggregateAlertFromTemplate() query field to extract the data for creating an aggregate alert. You'll then need to use the createAggregateAlert() mutation field to create one.

For more information on aggregate alerts, see the Aggregate Alerts documentation page.

Syntax

graphql

generateAggregateAlertFromTemplate(
     input: GenerateAggregateAlertFromTemplateInput!
   ): UnsavedAggregateAlert!

For the input, you'll have to give the view or repository name, and provide the yaml template from which you want to extract the aggregate alert. For the results, you'd request what you need to create a new aggregate alert (e.g., the query string, what might trigger it, and any actions).

Example

Below is an example of how this query field might be used:

Raw

graphql

query {
  generateAggregateAlertFromTemplate(
    input: {viewName: "company-http", 
            yamlTemplate: "favorite-yaml-template"}
  ) {
    name, 
    description,
    throttleField,
    actions {
      id, name, isAllowedToRun
    }    
  }
}

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  generateAggregateAlertFromTemplate(
    input: {viewName: \"company-http\", 
            yamlTemplate: \"favorite-yaml-template\"}
  ) {
    name, 
    description,
    throttleField,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}
EOF

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  generateAggregateAlertFromTemplate(
    input: {viewName: \"company-http\", 
            yamlTemplate: \"favorite-yaml-template\"}
  ) {
    name, 
    description,
    throttleField,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}
EOF

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
  generateAggregateAlertFromTemplate( ^
    input: {viewName: \"company-http\",  ^
            yamlTemplate: \"favorite-yaml-template\"} ^
  ) { ^
    name,  ^
    description, ^
    throttleField, ^
    actions { ^
      id, name, isAllowedToRun ^
    }     ^
  } ^
}" ^
} '

Windows Powershell and curl

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
  generateAggregateAlertFromTemplate(
    input: {viewName: \"company-http\", 
            yamlTemplate: \"favorite-yaml-template\"}
  ) {
    name, 
    description,
    throttleField,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "query {
  generateAggregateAlertFromTemplate(
    input: {viewName: \"company-http\", 
            yamlTemplate: \"favorite-yaml-template\"}
  ) {
    name, 
    description,
    throttleField,
    actions {
      id, name, isAllowedToRun
    }    
  }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
  generateAggregateAlertFromTemplate(
    input: {viewName: \"company-http\", 
            yamlTemplate: \"favorite-yaml-template\"}
  ) {
    name, 
    description,
    throttleField,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
  generateAggregateAlertFromTemplate(
    input: {viewName: \"company-http\", 
            yamlTemplate: \"favorite-yaml-template\"}
  ) {
    name, 
    description,
    throttleField,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Given Datatype

For the given datatype, you'll need to specify the view or repository name and provide the yaml template from which you want to get the aggregate alert. The parameters for that are described in the table below:

Table: GenerateAggregateAlertFromTemplateInput

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Sep 18, 2024
viewName	RepoOrViewName	yes	`Long-Term`	The name of the view of the aggregate alert. RepoOrViewName is a scalar.
yamlTemplate	YAML	yes	`Long-Term`	The yaml specification of the aggregate alert. YAML is a scalar.

Returned Datatype

For the results, you can request what you need to create a new aggregate alert. At a minimum, you'll need the query string. You might want to look at any actions contained in the template, although you might want to change them to your needs. You may also want to consider what triggers it. Below is a list of your choices:

Table: UnsavedAggregateAlert

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Feb 10, 2026
actions	[Action]	yes	`Long-Term`	List of actions to fire on query result. See Action.
description	string		`Long-Term`	Description of the aggregate alert.
enabled	boolean	yes	`Long-Term`	Flag indicating whether the aggregate alert is enabled.
labels	[string]	yes	`Long-Term`	Labels attached to the aggregate alert.
name	string	yes	`Long-Term`	Name of the aggregate alert.
queryString	string	yes	`Long-Term`	The LogScale query to execute.
queryTimestampType	QueryTimestampType	yes	`Long-Term`	Timestamp type to use for a query. See QueryTimestampType.
searchIntervalSeconds	long	yes	`Long-Term`	The search interval in seconds.
throttleField	string		`Deprecated`	The field on which to throttle. This can be set only if throttleTimeSeconds is set. Aggregate alerts now support multiple throttle fields. This field will be removed at the earliest in version 1.279. Use instead the throttleFields field.
throttleFields	[string]		`Long-Term`	The fields on which to throttle. This can be set only if throttleTimeSeconds is set.
throttleTimeSeconds	long	yes	`Long-Term`	The throttle time in seconds.
triggerMode	TriggerMode	yes	`Long-Term`	The mode used for triggering the alert. See TriggerMode.

Versions of this Page

GraphQL Queries

GraphQL API Stability

GraphQL Mutations

GraphQL Datatypes