Yes, we are using a clustered deployment.

I can't access this bug. Is there anyway you could send me a quick explanation on it?

All I can provide you is the bug description: Events deleted in an index cluster via the "| delete" search operator reappear after cluster restart

If you are a Splunk customer with a support entitlement, please open a support case for this, so your case# can be added to the bug ticket.

Ok, thanks. Will do.

No problem. It may be worthwhile thinking about a different approach to solving your use case. As you may know, | delete does not physically delete events, it just prevents them from being searchable.
Maybe you can configure your index retention settings such that old data ages out according to your needs.
Or use tags to flag outdated events and modify your searches to not include tagged events, if you cannot reliably use _time to limit your search results to the latest data.
Just a thought.

We are using frozentimeperiodinsecs.

We are not using tags to flag outdated data. Do you have a good reference?

Sorry, on second thought, using tags is probably not going to work well for this, unless you have a single field value in your dataset that is common to all events you need to hide. For example, if you can use a date field, you could tag all events from a specific date as "outdated" and include something like NOT "tag::date=outdated to your searches.

@ssievert - Any ideas on this?

Sure. we pipe to delete quite often. Like the following:

index=index1 | delete

We consider this to be the fake or soft delete compared to the cli index truncate

OK, so you are saying that when you are doing a | delete and restart your indexer, the events that were subject to deletion are searchable again?
What exact version of Splunk are you running?

We're running 6.2.2. Yes, we have a series of what we call snapshot indexes where we delete the data daily and re-ingest.

Yes, old source files reappear and are searchable when we restart our indexers.