Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

Acrobat logo Download manual as PDF


The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Acrobat logo Download topic as PDF

Debug playbooks in

If you're having problems with your playbook and need to troubleshoot issues, run your playbook using the debugger.

To run your playbook using the debugger, the playbook must meet the following conditions:

  • The playbook must be saved. You cannot debug playbooks in edit mode.
  • The playbook cannot be marked active.
  • The playbook must have an event to run against. If there are dependencies on any artifacts as part of the event, the artifacts must also be present and must not have been previously used by this same version of the playbook.

You can access the playbook debugger using one of the following methods:

Set Scope to define which artifacts are processed in the playbook run. You can set the scope to New Artifacts to process only artifacts defined since the playbook was last run, or All Artifacts to include all artifacts in the playbook run.

Each line in the debug content starts with a date time stamp. Log entries show which action is running. The parameter sent, such as inputs from earlier blocks or playbooks and message it received, and the outputs of each block are logged. The API call to on_finish represents a call to the End block. The playbook completes by logging a SUCCESS or FAILURE status.

Debug input playbooks

You can test the inputs of an input playbook using the debugger.

To test and debug an input playbook:

  1. Open the playbook in the Visual Playbook Editor.
  2. Within the Visual Playbook Editor, open the Playbook Debugger.
  3. Add the event id to test against.
  4. Select Test.

The output of the debugger shows the execution of the playbook, so you can see each of the blocks and the test inputs.

Last modified on 27 March, 2024
PREVIOUS
Reorder active playbooks in 		 

This documentation applies to the following versions of Splunk® SOAR (Cloud): current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters