Debug playbooks in
If you're having problems with your playbook and need to troubleshoot issues, run your playbook using the debugger.
To run your playbook using the debugger, the playbook must meet the following conditions:
- The playbook must be saved. Playbooks in edit mode can't be debugged.
- The playbook cannot be marked active.
- The playbook must have an event to run against. If there are dependencies on any artifacts as part of the event, the artifacts must also be present and must not have been previously used by this same version of the playbook.
You can access the playbook debugger using one of the following methods:
- Click the Playbook Debugger tab in the playbook editor.
- Use the Cmd+D or Ctrl+D keyboard shortcut. See Use keyboard shortcuts in the classic playbook editor.
Set Scope to define which artifacts are processed in the playbook run. You can set the scope to New Artifacts to process only artifacts defined since the playbook was last run, or All Artifacts to include all artifacts in the playbook run.
Each line in the debug content starts with a date time stamp. Log entries show which action is running. The parameter sent, such as inputs from earlier blocks or playbooks and message it received, and the outputs of each block are logged. The API call to
on_finish represents a call to the End block. The playbook completes by logging a SUCCESS or FAILURE status.
Debug input playbooks
You can test the inputs of an input playbook using the debugger.
To test and debug an input playbook:
- Open the playbook in the Visual Playbook Editor.
- Open the debugger from the tab in the lower right corner of the Visual Playbook Editor.
- In the top left corner of the debugger, click the adjustment bars icon.
- Add values for the playbook's inputs.
- Add the event id to test against.
- Click Test.
The output of the debugger shows the execution of the playbook so you can see each of the blocks and the test inputs.
Reorder active playbooks in
This documentation applies to the following versions of Splunk® SOAR (Cloud): current
Feedback submitted, thanks!