Symantec Endpoint Protection has quarantined the following file: E:\Data\splunk\defaultdb\db\hot_v1_312\1355754175-1355754173-19125489371228.pre-tsidx the path references our production database files location. I have several questions regarding:
Can I assume this is a false positive?
Is the formation of a file with the .pre-tsidx file a normal part of Splunk function?
Have you seen this problem before?
One of our techs deleted the quarantined file, what impact might this have?
You should never be using AV against Splunk data files, because of this and because of performance. Your AV techs have deleted Splunk data. Fortunately, this particular file type can be rebuilt by rebuilding the bucket that it came from (once it has been rolled).