Deployment Architecture

Antivirus quarantines file with .pre-tsidx extension

New Member

Symantec Endpoint Protection has quarantined the following file: E:\Data\splunk\defaultdb\db\hot_v1_312\1355754175-1355754173-19125489371228.pre-tsidx the path references our production database files location. I have several questions regarding:
Can I assume this is a false positive?
Is the formation of a file with the .pre-tsidx file a normal part of Splunk function?

Have you seen this problem before?

One of our techs deleted the quarantined file, what impact might this have?

0 Karma

Splunk Employee
Splunk Employee

You should never be using AV against Splunk data files, because of this and because of performance. Your AV techs have deleted Splunk data. Fortunately, this particular file type can be rebuilt by rebuilding the bucket that it came from (once it has been rolled).

Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...