Any gurus know why there are files created in /var/tmp/ folder by Splunk?
splunk@splunk:/var/tmp> more ddtb5535964469493924781.tmp ??USTOMER-VXTBTO?0-0A-E6-B0-F9-4F?USTOMER-VXTBTO?L10.35.10.133窒?ILE?rojan.Downloader.1938.A質2005-06-29 18:03:03. 0?005-06-29 18:03:03.0?005-06-28.01 (185480)?6842754?:\WINDOWS\system32\meminf.exe????? ? ??????窒窒窒窒窒 窒1窒???????0-0A-E6-A6-CD-C3????L10.35.10.126窒?ILE?ackdoor.BotGet.FtpB.Gen質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?:\WINDOWS\system32\2pac.txt?? ?? ??????窒窒窒窒窒窒1窒??????? Connectswitch質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?HKCU\Software\Netscape\Netscape N avigator\User Trusted External Applications ""=""?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3 Connectswitch?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3????L10.35.10.126窒?PY?dwa re.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall\WildTangent CDA?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3????L 10.35.10.126窒?PY?dware.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?KCR\W TVis.WTVisSender.1?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3????L10.35.10.126窒?PY ?dware.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?KCR\WTVis.WTVisSender?? ? ? ???L???? ???? ??窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3????L10.35.10.126窒?PY?dware.WildTangent質 2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?KCR\WTVis.WTVisReceiver.1?? ?? ???L???? ???? ?? 窒窒窒窒窒窒3窒???????0-0A-E6-A6-CD-C3????L10.35.10.126窒?PY?dware.WildTangent質2005-06-29 18:06:39. 0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?KCR\WTVis.WTVisReceiver?? ?? ???L???? ???? ??窒窒窒窒窒? ?窒?0??????0-0A-E6-A6-CD-C3????L10.35.10.126窒?PY?dware.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:3 9.0?005-06-28.01 (185480)?6842754?KCR\WT3D.WT.1?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒?1??????0-0A-E6-A6 -CD-C3????L10.35.10.126窒?PY?dware.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)窒 16842754?LHKCR\WT3D.WT?? ?? ???L???? ???? ??窒窒窒窒窒窒3窒?2??????0-0A-E6-A6-CD-C3????L10.35.10.126? 窒SPY?dware.WildTangent質2005-06-29 18:06:39.0?005-06-29 18:06:39.0?005-06-28.01 (185480)?6842754?KCR\WT.WTMultiplaye
the file looks like above. Which looks like the files we are indexing.
Thanks for your help
Overall, it's quite unlikely that any pile-up is caused by the Splunk built-in operation. You may want to review any scripted inputs you have, or alert scripts.
I would also recommend using system tools such as lsof, auditing, and fuser to evaluate which processes have these temp files open, if any, and investigating those processes.
What is it about these files the leads you to believe they are created by Splunk? Splunk doesn't generally write anything into /var/tmp unless there is some script or process that you create and configure Splunk to run that specifically does so.