Running the search hostname=hostname index=os source=ps
doesn't show all the information that running ps.sh from the host shows. For example, I don't see my Java command. Can someone help w/ this?
The command will run on the Forwarder as the user that owns/runs the splunkd
process. That user may not be privileged enough to show everything. See about giving sudo
to that user and running the ps
as root
with sudo
.
That's not it unfortunately. Splunk runs as the splunk user on the server, and when I login to the server as that user and run ps, I get all the data I expect.
This sounds like you might be getting truncated after 256 events (the default). If that's the case, you could update props.conf for the 'ps' sourcetype with TRUNCATE = 0.