Custom Alert Action UI - dynamic drop down list


In my custom alert action UI, I would like to include an HTML select (drop down list) with values that are retrieved from an external REST call. The documentation does state that only HTML fragments are recommended - and my testing shows that javascript code is stripped out by Splunk.

Is there any way to display dynamic content in the custom alert action UI?


Splunk Employee
Splunk Employee

This is extremely old, but I thought I would give an answer anyway. Please follow this doc to find your answer:

New Member

This doesn't seem to work properly. I added custom drilldown(splunk-search-dropdown) to my html, it executes the search query and gives me values in dropdown. But, when I select and save the configuration, it's not reflected in conf file. It never saves the selected dropdown value.

<div class="control-group">
    <label class="control-label">Custom Dropdown</label>
    <div class="controls">
        <splunk-search-dropdown name="action.[app_name].param.[param_name]"
                search="[search query]"
                value-field="[value_field]" label-field="[label_field]">

Also, if I add 'splunk-search-dropdown' inside 'splunk-control-group' , the dropdown never shows up.
I have already added param_name in alert_actions.conf

0 Karma

Path Finder

Excuse my super late reply. Below may help those who arrive here after me.

Be careful to check that your html is referencing your stanza name - not your app name. 

<splunk-search-dropdown name="action.[stanza_name].param.[param_name]"...


Below is how to extend the "logger_app" example in docs to add a dropdown. User's choice is sent to script.


<form class="form-horizontal form-complex">
<p>Write log entries for this action.</p>
<splunk-search-dropdown name="action.logger.param.mychoice1"
search=" | inputlookup alert_action_dropdown1.csv | stats c by foo1"
value-field="foo1" label-field="foo1"/>


is_custom = 1
disabled = 0
label = Log alert action
description = Custom action for logging fired alerts
icon_path = logger_logo.png
param.mychoice0=This param is hardcoded. Look, I can use a token: $$
#param.mychoice1=This param comes in from your stanza in savedsearches.conf.
#savedsearches.conf: action.logger.param.mychoice1=User picks from the UI. See logger.html

Output in test_modalert.log  then looks like:

<stanza name="test_alert_action_logger_with_added_dropdown1">
<param name="mychoice0">This param is hardcoded. Look, I can use a token: </param>
<param name="mychoice1">splunk2</param>

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...