https://community.splunk.com/t5/Getting-Data-In/Why-are-Services-processes-missing-from-ps-sourcetype-query/m-p/592755#M103753 <P>I have Splunk_TA_nix installed and ps.sh enabled on my Apache storm nimbus instances.&nbsp; I can run a general ps sourcetype query on a service I know should always be running like rhnsd and get events back just fine ...</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=os host="my-stormn-1" sourcetype=ps rhnsd</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;However, when I do the same for the "stormnimbus" service I get zero events back ...</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=os host="my-stormn-1" sourcetype=ps stormnimbus</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Meanwhile, a "sudo systemctl status stormnimbus" on the my-stormn-1 instance itself shows that it is active and running.&nbsp; I'm having the same problem also with the stormui service as well as the stormsupervisor service running on my storm supervisor instances.&nbsp; I should note that I do have Splunk_TA_nix installed on my splunk indexers.&nbsp; Any advice as to why these services are not returning events with ps and how to fix it would be greatly appreciated.</P> Wed, 06 Apr 2022 20:36:52 GMT bsg273 2022-04-06T20:36:52Z https://community.splunk.com/t5/Getting-Data-In/Why-are-Services-processes-missing-from-ps-sourcetype-query/m-p/592755#M103753 <P>I have Splunk_TA_nix installed and ps.sh enabled on my Apache storm nimbus instances.&nbsp; I can run a general ps sourcetype query on a service I know should always be running like rhnsd and get events back just fine ...</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=os host="my-stormn-1" sourcetype=ps rhnsd</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;However, when I do the same for the "stormnimbus" service I get zero events back ...</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=os host="my-stormn-1" sourcetype=ps stormnimbus</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Meanwhile, a "sudo systemctl status stormnimbus" on the my-stormn-1 instance itself shows that it is active and running.&nbsp; I'm having the same problem also with the stormui service as well as the stormsupervisor service running on my storm supervisor instances.&nbsp; I should note that I do have Splunk_TA_nix installed on my splunk indexers.&nbsp; Any advice as to why these services are not returning events with ps and how to fix it would be greatly appreciated.</P> Wed, 06 Apr 2022 20:36:52 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-Services-processes-missing-from-ps-sourcetype-query/m-p/592755#M103753 bsg273 2022-04-06T20:36:52Z https://community.splunk.com/t5/Getting-Data-In/Why-are-Services-processes-missing-from-ps-sourcetype-query/m-p/592846#M103765 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/243884">@bsg273</a>,</P><P>did you tried to manually debug the search?</P><P>in other words, running the search without the word "<SPAN>stormnimbus" is there a similar string?</SPAN></P><P><SPAN>maybe in the ps command output it has a different value (e.g. "storm nimbus").</SPAN></P><P><SPAN>You could manually search or use a part of the string (e.g. storm or nimbus) and see if the value is present in Splunk data.</SPAN></P><P><SPAN>Ciao.</SPAN></P><P><SPAN>Giuseppe</SPAN></P> Thu, 07 Apr 2022 07:13:12 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-Services-processes-missing-from-ps-sourcetype-query/m-p/592846#M103765 gcusello 2022-04-07T07:13:12Z