Splunk ITSI
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ITSI 4.4.1 recommended java version

pedro_77
New Member
‎01-16-2020 12:37 AM

Hello

I have some strange problems with ITSI and first i would like confirm that java version which i'm using is recommended one.
My setup is Windows 2016, SPlunk 8.0 and ITSI 4.4.1 and current java is:
OpenJDK8U-jdk_x64_windows_hotspot_8u232b09

I have warnings like this:
Unable initialize modular input itsi_license_checker defined in the app "SA-ITSI-Linceschecker":
Also we cannot create any episode via aggregation policy. Smart mode analyze cannot find any results/fields.
Could you share with me which version of ITSI and which version of java is working for sure?

Thank You
Br
Piotr

Labels (2)
0 Karma
Reply

waechtler_amaso
Explorer
‎01-22-2020 02:08 AM

Hi,

I tested with another java Version, i.e. the Oracle java 8 

java version "1.8.0_241"
Java(TM) SE Runtime Environment (build 1.8.0_241-b07)
Java HotSpot(TM) 64-Bit Server VM (build 25.241-b07, mixed mode)

This now works, no more error messages, and Episodes are now grouped

I guess it a problem of splunk parsing the java version string correctly

hth
Jan

0 Karma
Reply

waechtler_amaso
Explorer
‎01-20-2020 06:29 AM

I see similar problems:
When opening an existing or adding a new Aggregation Policy, I get:

Java version installed on this search head does not support Aggregation Policies, Java version 1.8 or greater is required.

I can still define Aggregation policies, but notable events are not beeing grouped into episodes

This is on splunk 8.0.1, ITSI 4.4.1 on a linux machine running this java version:
openjdk version "11.0.6" 2020-01-14
OpenJDK Runtime Environment (build 11.0.6+10-post-Debian-1deb10u1)
OpenJDK 64-Bit Server VM (build 11.0.6+10-post-Debian-1deb10u1, mixed mode, sharing)

MLTK 5.0.0 is installed and python.version=python3

According to the ITSI 4.4.1docs, this should all be fine

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...