Skip to main content

Data Anomaly | A UDA alert was received, but the file modification dates in the report are not recent.

Data Anomaly | A UDA alert was received, but the file modification dates in the report are not recent.

Updated today

Problem description

  • The Data anomaly alert was generated when the UDA scan detected xxxx number of files as modified in a single snapshot after exceeding the file change baseline..

  • Downloaded the report, and upon review, you see the modified date field of the report shows a very small number of files being modified recently, despite the alert referencing a much larger number of modified files.

Cause

The spike in modified files was due to a change in folder attributes, which, while not altering the file modified timestamp, caused the system to mark all files in the folder as “Modified” when the scan type was changed from USN Journal to Full Scan.

The reason for the change in Scan type was due to the USN Journal was purged due to a size crunch.

Traceback

level=error ts=2025-10-22T23:04:05.9104208-04:00 filename=usn_windows.go:193 message="Start usn not found, journal is purged" startStateUSN=6895435776 NextReadStateUSN=6867120464 Fset=D stack="goroutine 153 

level=error ts=2025-10-22T23:04:05.9104208-04:00 filename=usn_windows.go:153 message="Failed to validate oldJournalState" Fset=D Error="start usn not found" stack="goroutine 153 

level=info ts=2025-10-22T23:04:05.9104208-04:00 filename=prewalk.go:149 message="Converting to full scan as dictated by changelist init" Fset=D Cause="start usn not found"

level=info ts=2025-10-22T23:04:05.9104208-04:00 filename=progresslogger.go:36 message="Job ProgressLog message: Converting to full scan as dictated by changelist init fset: 'D'."

Resolution

  • Increase the USN Journal Size.

  • Follow the document to increase the Journal Size:

See also

https://help.druva.com/en/articles/8829715-file-server-backup-fails-with-the-unable-to-query-usn-journal-error

Did this answer your question?