Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

The visual editor for classic playbooks is now removed. Convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:

Debug playbooks in

If you're having problems with your playbook and need to troubleshoot issues, run your playbook using the debugger.

To run your playbook using the debugger, the playbook must meet the following conditions:

  • The playbook must be saved. You cannot debug playbooks in edit mode.
  • The playbook cannot be marked active.
  • The playbook must have an event to run against. If there are dependencies on any artifacts as part of the event, the artifacts must also be present and must not have been previously used by this same version of the playbook.

You can access the playbook debugger using one of the following methods:

To run the debugger for a specific container, finding, or investigation, follow these steps:

If your Splunk SOAR instance is paired with your Splunk Enterprise Security instance, you can debug based on findings and investigations.

You must be logged in to Splunk Enterprise Security while debugging based on findings and investigations.

  1. Locate the ID for the container, finding, or investigation. Find the ID in the following locations
    ID type Playbook type Location
    Container Automation/SOAR
    Input
    Enterprise Security
    In the SOAR Sources page, in the ID column
    Finding Enterprise Security In the Enterprise Security Analyst queue, in the details panel, next to Reference ID.
    Investigation Enterprise Security In the Enterprise Security Analyst queue
  2. Copy the ID.
  3. Select whether you want to run the debugger as the current user or as the selected automation user.
  4. Select Test.

Each line in the debug content starts with a date time stamp. Log entries show which action is running. The parameter sent, such as inputs from earlier blocks or playbooks and message it received, and the outputs of each block are logged. The API call to on_finish represents a call to the End block. The playbook completes by logging a SUCCESS or FAILURE status.

Last modified on 20 February, 2025
Reorder active playbooks in   Harness Cisco Talos Intelligence in Splunk SOAR (Cloud)

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters