Here you go - http://prnt.sc/p40i0c

Just create fields in alert_actions.conf corresponding to each field in the 'Adaptive Response Action' page.

Thanks @jawaharas, just so happens I'm fault finding the TheHive add-on too

did you have to break out the command = sendalert $action_name$ results_file="$results.file$" results_link="$results.url$" into individual fields and add each to the spec file ?

No, you do not have to specify things like action_name, results_file, results_link, etc as these are internal to sendalert. This error commonly occurs when you define parameters in the action HTML that aren't represented in alert_actions.conf.spec and alert_actions.conf...

When we develop a TA using add-on builder and then update the alert actions, as part of packaging/merging, the add-on builder doesn't merge the local/alert_actions.conf to default, causing this issue. possibly its a bug in add-on builder?

AoB will merge those BTW - you need to export it as an SPL package - which is the last option in the project flow in AoB.

Kyle - I did validate the package, exported the spl file and looked at the contents of the alert_action.conf and it was different from the contents in the local folder. So, merge didn't happen. I used AOB 2.2.0

So, my invocation via correlation search worked, but not via adhoc means. After i merged them manually (as per spec), both worked.

I'm not exactly sure what we're referring to with respect to "add-on builder doesn't merge the local/alert_actions.conf" to default. When you install the app, Splunk's API will dynamically layer local configurations onto the defaults, so while the best practice would be to ship everything in default, this should not be the source of your breakage.

unfortunately, the AOB didn't package them on to default, overwritting the old version of alert_actions.conf.