Archive
Highlighted

How to Calculate Splunk User Password Age

Path Finder

Greetings,

I use Splunk local authentication mode and have enabled password policy. I want to calculate the password age of all users to improve my user management, but I haven't found any REST API searches or endpoints that provide this information.

Does anyone know how I get this information?

0 Karma
Highlighted

Re: How to Calculate Splunk User Password Age

SplunkTrust
SplunkTrust

try to create a user, then give the user a password, then login as that user, then change the password
sign out and login as an admin.
search: index=_audit "action=password change" and keep on going from there

hope it helps

0 Karma
Highlighted

Re: How to Calculate Splunk User Password Age

Path Finder

Hi Adonio,

Tkx for help.

0 Karma
Highlighted

Re: How to Calculate Splunk User Password Age

Path Finder

this is what I use

| rest /services/authentication/users splunk_server=local
| fields title, roles, email
| rename title as user
| search
| join max=2 usetime=true type=left user
    [search index=_audit action="password change" info="succeeded"
     | stats latest(timestamp) as change_timestamp by user
     | fields + change_timestamp user
    ]
|eval change_timestamp = if(isnull(change_timestamp),"never",change_timestamp )
| eval display_roles=mvjoin(roles, ", ")
| eval password_days=trunc((now() - strptime(change_timestamp, "%m-%d-%Y %H:%M:%S.%Q"))/84600)
| sort - password_days
| table user, email, change_timestamp, password_days, display_roles

View solution in original post

Highlighted

Re: How to Calculate Splunk User Password Age

Path Finder

Hi Kiamco,

Is It!!! Tkx.

0 Karma
Highlighted

Re: How to Calculate Splunk User Password Age

Path Finder

no problemo, happy to help 😄

0 Karma