Getting Data In
Highlighted

Why do soft deleted sources return after indexer restart?

Contributor

Why do soft deleted sources return after indexer restart? This has happened to us every time. We are performing a high number of soft deletes.

Highlighted

Re: Why do soft deleted sources return after indexer restart?

Splunk Employee
Splunk Employee

Can you elaborate a bit, please? What's a "soft deleted source"? Can you describe in more detail what you are trying to do and what symptoms you are seeing?

0 Karma
Highlighted

Re: Why do soft deleted sources return after indexer restart?

Contributor

Sure. we pipe to delete quite often. Like the following:

index=index1 | delete

We consider this to be the fake or soft delete compared to the cli index truncate

0 Karma
Highlighted

Re: Why do soft deleted sources return after indexer restart?

Splunk Employee
Splunk Employee

OK, so you are saying that when you are doing a | delete and restart your indexer, the events that were subject to deletion are searchable again?
What exact version of Splunk are you running?

0 Karma
Highlighted

Re: Why do soft deleted sources return after indexer restart?

Contributor

We're running 6.2.2. Yes, we have a series of what we call snapshot indexes where we delete the data daily and re-ingest.

Yes, old source files reappear and are searchable when we restart our indexers.

0 Karma
Highlighted

Re: Why do soft deleted sources return after indexer restart?

Contributor

@ssievert - Any ideas on this?

0 Karma
Highlighted

Re: Why do soft deleted sources return after indexer restart?

Splunk Employee
Splunk Employee

I cannot reproduce this on my standalone instance. However, I did find an open bug which describes your symptoms when using |delete in an indexer cluster (SPL-100516).

Are you using a clustered deployment?

0 Karma
Highlighted

Re: Why do soft deleted sources return after indexer restart?

Contributor

Yes, we are using a clustered deployment.

0 Karma
Highlighted

Re: Why do soft deleted sources return after indexer restart?

Contributor

I can't access this bug. Is there anyway you could send me a quick explanation on it?

0 Karma
Highlighted

Re: Why do soft deleted sources return after indexer restart?

Splunk Employee
Splunk Employee

All I can provide you is the bug description: Events deleted in an index cluster via the "| delete" search operator reappear after cluster restart

If you are a Splunk customer with a support entitlement, please open a support case for this, so your case# can be added to the bug ticket.