generateScheduledSearchFromPackageTemplate()

API Stability	`Long-Term`

The generateScheduledSearchFromPackageTemplate() GraphQL query to generate an unsaved scheduled search from a package scheduled search template.

Syntax

Below is the syntax for the generateScheduledSearchFromPackageTemplate() query field:

graphql

generateScheduledSearchFromPackageTemplate(
      input: GenerateScheduledSearchFromPackageTemplateInput!
   ): UnsavedScheduledSearch!

The input datatype, GenerateScheduledSearchFromPackageTemplateInput is to give the data for generating an unsaved scheduled search object from a library package template. Below is an example using this query field:

Show:

graphql

query {
  generateScheduledSearchFromPackageTemplate(
    input: {viewName: "company-http", 
            packageId: "http-packers@1.23",
            templateName: "standard-aggregatealert-template"}
  ) {
    name, 
    description,
    queryString, enabled,
    schedule, timeZone,
    actions {
      id, name, isAllowedToRun
    }    
  }
}

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  generateScheduledSearchFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    queryString, enabled,
    schedule, timeZone,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  generateScheduledSearchFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    queryString, enabled,
    schedule, timeZone,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
  generateScheduledSearchFromPackageTemplate( ^
    input: {viewName: \"company-http\",  ^
            packageId: \"http-packers@1.23\", ^
            templateName: \"standard-aggregatealert-template\"} ^
  ) { ^
    name,  ^
    description, ^
    queryString, enabled, ^
    schedule, timeZone, ^
    actions { ^
      id, name, isAllowedToRun ^
    }     ^
  } ^
}" ^
} '

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
  generateScheduledSearchFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    queryString, enabled,
    schedule, timeZone,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "query {
  generateScheduledSearchFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    queryString, enabled,
    schedule, timeZone,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
  generateScheduledSearchFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    queryString, enabled,
    schedule, timeZone,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
  generateScheduledSearchFromPackageTemplate(
    input: {viewName: \"company-http\", 
            packageId: \"http-packers@1.23\",
            templateName: \"standard-aggregatealert-template\"}
  ) {
    name, 
    description,
    queryString, enabled,
    schedule, timeZone,
    actions {
      id, name, isAllowedToRun
    }    
  }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Given Datatypes

The given datatype, GenerateScheduledSearchFromPackageTemplateInput has only a few parameters. They're listed here:

Table: GenerateScheduledSearchFromPackageTemplateInput

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 18, 2024
`packageId`	`VersionedPackageSpecifier`	yes	`Long-Term`	The unique identifier of the package with which the scheduled search was installed. `VersionedPackageSpecifier` is a scalar.
`templateName`	string	yes	`Long-Term`	The name of the scheduled search template in the package.
`viewName`	`RepoOrViewName`	yes	`Long-Term`	The name of the view of the scheduled search. `RepoOrViewName` is a scalar.

Returned Datatypes

For UnsavedScheduledSearch, there are several possible values returned, which are listed below:

Table: UnsavedScheduledSearch

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Apr 3, 2025
`actions`	[`Action`]	yes	`Long-Term`	A list of IDs for actions to fire on query result. See `Action`.
`backfillLimit`	integer	yes	`Deprecated`	User-defined limit, which caps the number of missed searches to backfill (e.g., in the event of a shutdown). This option is deprecated and will be removed at the earliest in version 1.231. Use instead `backfillLimitV2`.
`backfillLimitV2`	integer		`Long-Term`	User-defined limit, which caps the number of missed searches to backfill when `queryTimestampType` is `EventTimestamp`.
`description`	string		`Long-Term`	A description of the scheduled search.
`enabled`	boolean	yes	`Long-Term`	Whether the scheduled search is enabled.
`end`	string	yes	`Deprecated`	End of the relative time interval for the query. This field is deprecated. It will be removed at the earliest in version 1.231.
`labels`	[string]	yes	`Long-Term`	Labels attached to the scheduled search.
`maxWaitTimeSeconds`	long		`Long-Term`	The maximum wait time in seconds when `queryTimestampType` is `IngestTimestamp`.
`name`	string	yes	`Long-Term`	The name of the scheduled search.
`queryString`	string	yes	`Long-Term`	The LogScale query to execute.
`queryTimestampType`	`QueryTimestampType`	yes	`Long-Term`	The timestamp type to use for the query. Running on `@ingesttimestamp` is only available with feature flag `ScheduledSearchIngestTimestamp`. See `QueryTimestampType`.
`schedule`	string	yes	`Long-Term`	The cron pattern describing the schedule on which to execute the query.
`searchIntervalOffsetSeconds`	long		`Long-Term`	The search interval offset in seconds when `queryTimestampType` is `EventTimestamp`.
`searchIntervalSeconds`	long	yes	`Long-Term`	The search interval in seconds.
`start`	string	yes	`Deprecated`	Start of the relative time interval for the query. This field is deprecated. It will be removed at the earliest in version 1.231.
`timeZone`	string	yes	`Long-Term`	The time zone of the schedule. Currently, this field supports only UTC offsets (e.g., 'UTC', 'UTC-01' or 'UTC+12:45').

GraphQL Queries

GraphQL API Stability

GraphQL Mutations

GraphQL Datatypes