Can you elaborate a bit, please? What's a "soft deleted source"? Can you describe in more detail what you are trying to do and what symptoms you are seeing?
Sure. we pipe to delete quite often. Like the following:
index=index1 | delete
We consider this to be the fake or soft delete compared to the cli index truncate
OK, so you are saying that when you are doing a | delete and restart your indexer, the events that were subject to deletion are searchable again?
What exact version of Splunk are you running?
We're running 6.2.2. Yes, we have a series of what we call snapshot indexes where we delete the data daily and re-ingest.
Yes, old source files reappear and are searchable when we restart our indexers.
I cannot reproduce this on my standalone instance. However, I did find an open bug which describes your symptoms when using |delete in an indexer cluster (SPL-100516).
Are you using a clustered deployment?
All I can provide you is the bug description: Events deleted in an index cluster via the "| delete" search operator reappear after cluster restart
If you are a Splunk customer with a support entitlement, please open a support case for this, so your case# can be added to the bug ticket.