Debug playbooks in
If you're having problems with your playbook and need to troubleshoot issues, run your playbook using the debugger.
To run your playbook using the debugger, the playbook must meet the following conditions:
- The playbook must be saved. You cannot debug playbooks in edit mode.
- The playbook cannot be marked active.
- The playbook must have an event to run against. If there are dependencies on any artifacts as part of the event, the artifacts must also be present and must not have been previously used by this same version of the playbook.
You can access the playbook debugger using one of the following methods:
- Select the Playbook Debugger tab in the playbook editor.
- Use the Cmd+D or Ctrl+D keyboard shortcut. See Use keyboard shortcuts in the playbook editor.
Set Scope to define which artifacts are processed in the playbook run. You can set the scope to New Artifacts to process only artifacts defined since the playbook was last run, or All Artifacts to include all artifacts in the playbook run.
Each line in the debug content starts with a date time stamp. Log entries show which action is running. The parameter sent, such as inputs from earlier blocks or playbooks and message it received, and the outputs of each block are logged. The API call to
on_finish represents a call to the End block. The playbook completes by logging a SUCCESS or FAILURE status.
Debug input playbooks
You can test the inputs of an input playbook using the debugger.
To test and debug an input playbook:
- Open the playbook in the Visual Playbook Editor.
- Within the Visual Playbook Editor, open the Playbook Debugger.
- Add the event id to test against.
- Select Test.
The output of the debugger shows the execution of the playbook, so you can see each of the blocks and the test inputs.
Reorder active playbooks in
This documentation applies to the following versions of Splunk® SOAR (Cloud): current