Excuse my super late reply. Below may help those who arrive here after me. Be careful to check that your html is referencing your stanza name - not your app name. <splunk-search-dropdown name="action.[stanza_name].param.[param_name]"... Below is how to extend the "logger_app" example in docs to add a dropdown. User's choice is sent to script. logger.html <form class="form-horizontal form-complex"> <p>Write log entries for this action.</p> <splunk-search-dropdown name="action.logger.param.mychoice1" search=" | inputlookup alert_action_dropdown1.csv | stats c by foo1" value-field="foo1" label-field="foo1"/> </form> alert_actions.conf [logger] is_custom = 1 disabled = 0 label = Log alert action description = Custom action for logging fired alerts icon_path = logger_logo.png param.mychoice0=This param is hardcoded. Look, I can use a token: $result.host$ #param.mychoice1=This param comes in from your stanza in savedsearches.conf. #savedsearches.conf: action.logger.param.mychoice1=User picks from the UI. See logger.html Output in test_modalert.log then looks like: ...</search_name> <configuration> <stanza name="test_alert_action_logger_with_added_dropdown1"> <param name="mychoice0">This param is hardcoded. Look, I can use a token: </param> <param name="mychoice1">splunk2</param> </stanza> </configuration> <result>...
... View more