generateScheduledSearchFromPackageTemplate()

API Stability Long-Term

The generateScheduledSearchFromPackageTemplate() GraphQL query to generate an unsaved scheduled search from a package scheduled search template.

This is a query, not a mutation. It will return only the information that you can use to create a new scheduled search. You'll then have to use the mutation field, createScheduledSearchV2().

Syntax

graphql

generateScheduledSearchFromPackageTemplate(
      input: GenerateScheduledSearchFromPackageTemplateInput!
   ): UnsavedScheduledSearch

For the input, you'll need to specify the name of the repository or view, the unique identifier for the package that contains the template, and the name of the template. For the results, you can request whatever you need to create a new scheduled search (e.g., the query string, and any search parameters). See the Return Datatype section for more possibilities.

Example

Below is an example using this query field:

Raw

graphql

query {
  generateScheduledSearchFromPackageTemplate(
    input: {viewName: "company-http", 
            packageId: "http-packers@1.23",
            templateName: "standard-aggregatealert-template"}
  ) {
    name, 
    description,
    queryString, enabled,
    schedule, timeZone,
    actions {
      id, name, isAllowedToRun
    }    
  }
}

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  generateScheduledSearchFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    queryString, enabled,
    schedule, timeZone,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}
EOF

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  generateScheduledSearchFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    queryString, enabled,
    schedule, timeZone,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}
EOF

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
  generateScheduledSearchFromPackageTemplate( ^
    input: {viewName: \"company-http\",  ^
            packageId: \"http-packers@1.23\", ^
            templateName: \"standard-aggregatealert-template\"} ^
  ) { ^
    name,  ^
    description, ^
    queryString, enabled, ^
    schedule, timeZone, ^
    actions { ^
      id, name, isAllowedToRun ^
    }     ^
  } ^
}" ^
} '

Windows Powershell and curl

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
  generateScheduledSearchFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    queryString, enabled,
    schedule, timeZone,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "query {
  generateScheduledSearchFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    queryString, enabled,
    schedule, timeZone,
    actions {
      id, name, isAllowedToRun
    }    
  }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
  generateScheduledSearchFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    queryString, enabled,
    schedule, timeZone,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
  generateScheduledSearchFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    queryString, enabled,
    schedule, timeZone,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Given Datatype

The input datatype described in the table below is used to specify the name of the repository or view, the unique identifier for the package that contains the template, and the name of the template for which you want to generate a scheduled search.

Table: GenerateScheduledSearchFromPackageTemplateInput

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Sep 18, 2024
packageId	VersionedPackageSpecifier	yes	`Long-Term`	The unique identifier of the package with which the scheduled search was installed. VersionedPackageSpecifier is a scalar.
templateName	string	yes	`Long-Term`	The name of the scheduled search template in the package.
viewName	RepoOrViewName	yes	`Long-Term`	The name of the view of the scheduled search. RepoOrViewName is a scalar.

Returned Datatype

For the results, you can request what you need to create a new scheduled search: the query, the schedule for its execution, any action to take, etc. See the table below for details:

Table: UnsavedScheduledSearch

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Sep 17, 2025
actions	[Action]	yes	`Long-Term`	A list of unique identifiers for actions to fire on query result. See Action.
backfillLimit	integer	yes	`Deprecated`	User-defined limit, which caps the number of missed searches to backfill (e.g., in the event of a shutdown). This option is deprecated and will be removed at the earliest in version 1.231. Use instead backfillLimitV2.
backfillLimitV2	integer		`Long-Term`	User-defined limit, which caps the number of missed searches to backfill when queryTimestampType is `EventTimestamp`.
description	string		`Long-Term`	A description of the scheduled search.
enabled	boolean	yes	`Long-Term`	Whether the scheduled search is enabled.
end	string	yes	`Deprecated`	End of the relative time interval for the query. This field is deprecated. It will be removed at the earliest in version 1.231.
labels	[string]	yes	`Long-Term`	Labels attached to the scheduled search.
maxWaitTimeSeconds	long		`Long-Term`	The maximum wait time in seconds when queryTimestampType is `IngestTimestamp`.
name	string	yes	`Long-Term`	The name of the scheduled search.
queryString	string	yes	`Long-Term`	The LogScale query to execute.
queryTimestampType	QueryTimestampType	yes	`Long-Term`	The timestamp type to use for the query. Running on `@ingesttimestamp` is only available with feature flag `ScheduledSearchIngestTimestamp`. See QueryTimestampType.
schedule	string	yes	`Long-Term`	The cron pattern describing the schedule on which to execute the query.
searchIntervalOffsetSeconds	long		`Long-Term`	The search interval offset in seconds when queryTimestampType is `EventTimestamp`.
searchIntervalSeconds	long	yes	`Long-Term`	The search interval in seconds.
start	string	yes	`Deprecated`	Start of the relative time interval for the query. This field is deprecated. It will be removed at the earliest in version 1.231.
timeZone	string	yes	`Long-Term`	The time zone of the schedule. Currently, this field supports only UTC offsets (e.g., 'UTC', 'UTC-01' or 'UTC+12:45').
triggerOnEmptyResult	boolean	yes	`Long-Term`	Whether the scheduled search should be triggered when there are no events.

Versions of this Page

GraphQL Queries

GraphQL API Stability

GraphQL Mutations

GraphQL Datatypes