Getting Data In

Why are Services/processes missing from ps sourcetype query?

Path Finder

I have Splunk_TA_nix installed and enabled on my Apache storm nimbus instances.  I can run a general ps sourcetype query on a service I know should always be running like rhnsd and get events back just fine ...



index=os host="my-stormn-1" sourcetype=ps rhnsd



 However, when I do the same for the "stormnimbus" service I get zero events back ...



index=os host="my-stormn-1" sourcetype=ps stormnimbus



Meanwhile, a "sudo systemctl status stormnimbus" on the my-stormn-1 instance itself shows that it is active and running.  I'm having the same problem also with the stormui service as well as the stormsupervisor service running on my storm supervisor instances.  I should note that I do have Splunk_TA_nix installed on my splunk indexers.  Any advice as to why these services are not returning events with ps and how to fix it would be greatly appreciated.

Labels (5)
0 Karma


Hi @bsg273,

did you tried to manually debug the search?

in other words, running the search without the word "stormnimbus" is there a similar string?

maybe in the ps command output it has a different value (e.g. "storm nimbus").

You could manually search or use a part of the string (e.g. storm or nimbus) and see if the value is present in Splunk data.



0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...