ITSI 4.4.1 recommended java version

pedro_77 · ‎01-16-2020

Hello

I have some strange problems with ITSI and first i would like confirm that java version which i'm using is recommended one.
My setup is Windows 2016, SPlunk 8.0 and ITSI 4.4.1 and current java is:
OpenJDK8U-jdk_x64_windows_hotspot_8u232b09

I have warnings like this:
Unable initialize modular input itsi_license_checker defined in the app "SA-ITSI-Linceschecker":
Also we cannot create any episode via aggregation policy. Smart mode analyze cannot find any results/fields.
Could you share with me which version of ITSI and which version of java is working for sure?

Thank You
Br
Piotr

waechtler_amaso · ‎01-22-2020

Hi,

I tested with another java Version, i.e. the Oracle java 8

java version "1.8.0_241"
Java(TM) SE Runtime Environment (build 1.8.0_241-b07)
Java HotSpot(TM) 64-Bit Server VM (build 25.241-b07, mixed mode)

This now works, no more error messages, and Episodes are now grouped

I guess it a problem of splunk parsing the java version string correctly

hth
Jan

waechtler_amaso · ‎01-20-2020

I see similar problems:
When opening an existing or adding a new Aggregation Policy, I get:

Java version installed on this search head does not support Aggregation Policies, Java version 1.8 or greater is required.

I can still define Aggregation policies, but notable events are not beeing grouped into episodes

This is on splunk 8.0.1, ITSI 4.4.1 on a linux machine running this java version:
openjdk version "11.0.6" 2020-01-14
OpenJDK Runtime Environment (build 11.0.6+10-post-Debian-1deb10u1)
OpenJDK 64-Bit Server VM (build 11.0.6+10-post-Debian-1deb10u1, mixed mode, sharing)

MLTK 5.0.0 is installed and python.version=python3

According to the ITSI 4.4.1docs, this should all be fine

ITSI 4.4.1 recommended java version

configuration

troubleshooting

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases