Native Splunk Password Expiry Alert - Is it not working for anyone?


I have setup the Splunk native password policy on my company's implementation but it seems like the password expiration alert does not work as expected. Today I have many users complaining that their password has expired but did not receive, or notice any warning.

I was assuming that the 15 day alerts would be a "highlighted bar" at the top of the splunk page (fine for daily users) but for occasional users I was expecting an email. Reading over the docs I can only find information on how to set this but not any detail on what it actually does.

Labels (1)
0 Karma


alt text
The alert is displayed when a user login (image above), you have to specify some parameters in the authentication.conf (, to do so : declare the stanza splunk_auth and modify the following keys :

minPasswordLength = 8
minPasswordUppercase = 1
minPasswordLowercase = 1
minPasswordDigit = 1
minPasswordSpecial = 1
expirePasswordDays = 20
expireAlertDays = 42
expireUserAccounts = True
forceWeakPasswordChange = True
lockoutUsers = True
lockoutMins = 30
lockoutAttempts = 3
enablePasswordHistory = True
passwordHistoryCount = 5
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!