We have just deployed TA-sos to all search heads and indexers. Both inputs (ps_sos.sh and lsof_sos.sh) are enabled, but no lsof_sos source data is being received. Running the script manually, it produces no output. Any idea what is going wrong?
lsof is not on path, but even editing the script to call lsof at its actual location /usr/sbin/lsof still produces no output.
/usr/sbin/lsof -n -P -s -p [splunkd pid from ./splunk status],[splunkweb pid from ./splunk status] produces plenty of output, even run as the splunk user.