Running the search hostname=hostname index=os source=ps doesn't show all the information that running ps.sh from the host shows. For example, I don't see my Java command. Can someone help w/ this?
The command will run on the Forwarder as the user that owns/runs the splunkd process. That user may not be privileged enough to show everything. See about giving sudo to that user and running the ps as root with sudo.
That's not it unfortunately. Splunk runs as the splunk user on the server, and when I login to the server as that user and run ps, I get all the data I expect.
This sounds like you might be getting truncated after 256 events (the default). If that's the case, you could update props.conf for the 'ps' sourcetype with TRUNCATE = 0.
