Deployment Architecture

Antivirus quarantines file with .pre-tsidx extension

mbeutjer
New Member

Symantec Endpoint Protection has quarantined the following file: E:\Data\splunk\defaultdb\db\hot_v1_312\1355754175-1355754173-19125489371228.pre-tsidx the path references our production database files location. I have several questions regarding:
Can I assume this is a false positive?
Is the formation of a file with the .pre-tsidx file a normal part of Splunk function?

Have you seen this problem before?

One of our techs deleted the quarantined file, what impact might this have?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You should never be using AV against Splunk data files, because of this and because of performance. Your AV techs have deleted Splunk data. Fortunately, this particular file type can be rebuilt by rebuilding the bucket that it came from (once it has been rolled).

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...