Custom Alert Action UI - dynamic drop down list


In my custom alert action UI, I would like to include an HTML select (drop down list) with values that are retrieved from an external REST call. The documentation does state that only HTML fragments are recommended - and my testing shows that javascript code is stripped out by Splunk.

Is there any way to display dynamic content in the custom alert action UI?


Splunk Employee
Splunk Employee

This is extremely old, but I thought I would give an answer anyway. Please follow this doc to find your answer:

New Member

This doesn't seem to work properly. I added custom drilldown(splunk-search-dropdown) to my html, it executes the search query and gives me values in dropdown. But, when I select and save the configuration, it's not reflected in conf file. It never saves the selected dropdown value.

<div class="control-group">
    <label class="control-label">Custom Dropdown</label>
    <div class="controls">
        <splunk-search-dropdown name="action.[app_name].param.[param_name]"
                search="[search query]"
                value-field="[value_field]" label-field="[label_field]">

Also, if I add 'splunk-search-dropdown' inside 'splunk-control-group' , the dropdown never shows up.
I have already added param_name in alert_actions.conf

0 Karma

Path Finder

Excuse my super late reply. Below may help those who arrive here after me.

Be careful to check that your html is referencing your stanza name - not your app name. 

<splunk-search-dropdown name="action.[stanza_name].param.[param_name]"...


Below is how to extend the "logger_app" example in docs to add a dropdown. User's choice is sent to script.


<form class="form-horizontal form-complex">
<p>Write log entries for this action.</p>
<splunk-search-dropdown name="action.logger.param.mychoice1"
search=" | inputlookup alert_action_dropdown1.csv | stats c by foo1"
value-field="foo1" label-field="foo1"/>


is_custom = 1
disabled = 0
label = Log alert action
description = Custom action for logging fired alerts
icon_path = logger_logo.png
param.mychoice0=This param is hardcoded. Look, I can use a token: $$
#param.mychoice1=This param comes in from your stanza in savedsearches.conf.
#savedsearches.conf: action.logger.param.mychoice1=User picks from the UI. See logger.html

Output in test_modalert.log  then looks like:

<stanza name="test_alert_action_logger_with_added_dropdown1">
<param name="mychoice0">This param is hardcoded. Look, I can use a token: </param>
<param name="mychoice1">splunk2</param>

0 Karma
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...