I use Splunk local authentication mode and have enabled password policy. I want to calculate the password age of all users to improve my user management, but I haven't found any REST API searches or endpoints that provide this information.
Does anyone know how I get this information?
try to create a user, then give the user a password, then login as that user, then change the password
sign out and login as an admin.
index=_audit "action=password change" and keep on going from there
hope it helps
this is what I use
| rest /services/authentication/users splunk_server=local | fields title, roles, email | rename title as user | search | join max=2 usetime=true type=left user [search index=_audit action="password change" info="succeeded" | stats latest(timestamp) as change_timestamp by user | fields + change_timestamp user ] |eval change_timestamp = if(isnull(change_timestamp),"never",change_timestamp ) | eval display_roles=mvjoin(roles, ", ") | eval password_days=trunc((now() - strptime(change_timestamp, "%m-%d-%Y %H:%M:%S.%Q"))/84600) | sort - password_days | table user, email, change_timestamp, password_days, display_roles