For details, see:
Debug playbooks in
If you're having problems with your playbook and need to troubleshoot issues, run your playbook using the debugger.
To run your playbook using the debugger, the playbook must meet the following conditions:
- The playbook must be saved. You cannot debug playbooks in edit mode.
- The playbook cannot be marked active.
- The playbook must have an event to run against. If there are dependencies on any artifacts as part of the event, the artifacts must also be present and must not have been previously used by this same version of the playbook.
You can access the playbook debugger using one of the following methods:
- Select the Playbook Debugger tab in the playbook editor.
- Within the playbook editor, use the Cmd+D or Ctrl+D keyboard shortcut. See Use keyboard shortcuts in the playbook editor.
To run the debugger for a specific container, finding, or investigation, follow these steps:
If your Splunk SOAR instance is paired with your Splunk Enterprise Security instance, you can debug based on findings and investigations.
You must be logged in to Splunk Enterprise Security while debugging based on findings and investigations.
- Locate the ID for the container, finding, or investigation.
Find the ID in the following locations
ID type Playbook type Location Container Automation/SOAR
Input
Enterprise SecurityIn the SOAR Sources page, in the ID column Finding Enterprise Security In the Enterprise Security Analyst queue, in the details panel, next to Reference ID. Investigation Enterprise Security In the Enterprise Security Analyst queue - Copy the ID.
- Select whether you want to run the debugger as the current user or as the selected automation user.
- Select Test.
Each line in the debug content starts with a date time stamp. Log entries show which action is running. The parameter sent, such as inputs from earlier blocks or playbooks and message it received, and the outputs of each block are logged. The API call to on_finish
represents a call to the End block. The playbook completes by logging a SUCCESS or FAILURE status.
Reorder active playbooks in | Harness Cisco Talos Intelligence in Splunk SOAR (Cloud) |
This documentation applies to the following versions of Splunk® SOAR (Cloud): current
Feedback submitted, thanks!