Custom Alert Action UI - dynamic drop down list


In my custom alert action UI, I would like to include an HTML select (drop down list) with values that are retrieved from an external REST call. The documentation does state that only HTML fragments are recommended - and my testing shows that javascript code is stripped out by Splunk.

Is there any way to display dynamic content in the custom alert action UI?


Splunk Employee
Splunk Employee

This is extremely old, but I thought I would give an answer anyway. Please follow this doc to find your answer:

New Member

This doesn't seem to work properly. I added custom drilldown(splunk-search-dropdown) to my html, it executes the search query and gives me values in dropdown. But, when I select and save the configuration, it's not reflected in conf file. It never saves the selected dropdown value.

<div class="control-group">
    <label class="control-label">Custom Dropdown</label>
    <div class="controls">
        <splunk-search-dropdown name="action.[app_name].param.[param_name]"
                search="[search query]"
                value-field="[value_field]" label-field="[label_field]">

Also, if I add 'splunk-search-dropdown' inside 'splunk-control-group' , the dropdown never shows up.
I have already added param_name in alert_actions.conf

0 Karma

Path Finder

Excuse my super late reply. Below may help those who arrive here after me.

Be careful to check that your html is referencing your stanza name - not your app name. 

<splunk-search-dropdown name="action.[stanza_name].param.[param_name]"...


Below is how to extend the "logger_app" example in docs to add a dropdown. User's choice is sent to script.


<form class="form-horizontal form-complex">
<p>Write log entries for this action.</p>
<splunk-search-dropdown name="action.logger.param.mychoice1"
search=" | inputlookup alert_action_dropdown1.csv | stats c by foo1"
value-field="foo1" label-field="foo1"/>


is_custom = 1
disabled = 0
label = Log alert action
description = Custom action for logging fired alerts
icon_path = logger_logo.png
param.mychoice0=This param is hardcoded. Look, I can use a token: $$
#param.mychoice1=This param comes in from your stanza in savedsearches.conf.
#savedsearches.conf: action.logger.param.mychoice1=User picks from the UI. See logger.html

Output in test_modalert.log  then looks like:

<stanza name="test_alert_action_logger_with_added_dropdown1">
<param name="mychoice0">This param is hardcoded. Look, I can use a token: </param>
<param name="mychoice1">splunk2</param>

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...