Native Splunk Password Expiry Alert - Is it not working for anyone?


I have setup the Splunk native password policy on my company's implementation but it seems like the password expiration alert does not work as expected. Today I have many users complaining that their password has expired but did not receive, or notice any warning.

I was assuming that the 15 day alerts would be a "highlighted bar" at the top of the splunk page (fine for daily users) but for occasional users I was expecting an email. Reading over the docs I can only find information on how to set this but not any detail on what it actually does.

Labels (1)
0 Karma


alt text
The alert is displayed when a user login (image above), you have to specify some parameters in the authentication.conf (, to do so : declare the stanza splunk_auth and modify the following keys :

minPasswordLength = 8
minPasswordUppercase = 1
minPasswordLowercase = 1
minPasswordDigit = 1
minPasswordSpecial = 1
expirePasswordDays = 20
expireAlertDays = 42
expireUserAccounts = True
forceWeakPasswordChange = True
lockoutUsers = True
lockoutMins = 30
lockoutAttempts = 3
enablePasswordHistory = True
passwordHistoryCount = 5
0 Karma