This is what I am referring to.

hi @keldridg2 - As much as I like earning karma points 🙂 🙂 , I can not see how my answer helps for your question.
Your sourcetype is custom and it looks like neither my suggestion nor @richgalloway 's suggestion is related to your requirement.
Please un-accept my answer, as I feel it has not contributed significantly to your issue.

Sorry you do not feel like you contributed but your answer will help me with future uses as I been trying to research how to do a reset command but could only find ways how to reset Splunk password. It was difficult with wording what my idea is with index=main but do feel like your answer does help me out if a users decides to change their Splunk password.

no worries 🙂 thanks for your time, do hope your issue is solved .. have a nice day / night ahead 🙂 🙂

I will accept your answer and give you the points as I do feel like you help many people probably with this issue.

Thanks for the help.

hi @keldridg2 - Did it work or did you have to do something different?
If this worked I will convert the comment into an answer, please accept it after the same.
If it did not and you did something else to resolve the issue please share your answer.
Both ways will benefit forum members who might face a similar issue in the future

I founded that we do have the index=_audit but am wondering if it was index=main then how would I find the password change then.

hi @keldridg2 - The _audit index, as the name suggests contains ALL(well, as much as splunk default audit info goes) audit information irrespective of the number of indexes you have, you log into splunk and not to an individual index.
Are we on the same page or is your need something different?
See for example how the above query captures password change info of splunk overall and NOT for any specific index.
Am I misunderstanding your question?
4/7/19
5:25:39.835 PM

Audit:[timestamp=04-07-2019 17:25:39.835, user=admin, action=password change, info=succeeded][n/a]
action = password change host = vvvvv source = audittrail sourcetype = audittrail user = admin

No this is what I am looking for. Thanks.

The answer by @Sukisen1981 is a good one, but only applies to changes users make to their Splunk passwords. To find other password changes in your environment, you will have to know how those changes are reported to Splunk, if at all. They could be in a Windows event, a Linux audit record, or some application log. We'll need more information to help you better.