We're having issues when we delete some data (with |delete) and after an indexer restarts in the clustered environment, some of the data replicated again. I did some research and found that this was a previous bug (SPL-100516). Has it been fixed?
Which version of Splunk are you running?
We are running 6.4.1
This is a known issue that is being addressed by engineering.
Current workaround:
5 minutes after executing the search which deletes events, manually execute:
$SPLUNK_HOME/bin/splunkd apply-delete-journals
on the indexes/buckets from which data was deleted.
Why is this SPL not listed on the Known Issues page for the latest release?
Not sure, but I am having that addressed by the docs team.
Thank you!
Is there a workaround for deleting files and making sure they're gone?
