If users miss passwords more than five times, their accounts are locked.
However, if an account with the role admin has a password that is incorrect more than 10 times, the account will not be locked.
If an account with the admin role also fails to log in more than 5 times, how do I lock my account?
Are any of your users LDAP/SSO, or are they all using local Splunk authentication?
My understanding is that any local Splunk account will lock after 5 failed attempts (and will lock for 30 mins) even if that user has the admin role.
However that will not apply if the user is LDAP/SSO auth'd - then it is down to your LDAP/SSO environment to lock the account, not Splunk.