The content of Splunk password Policy.
-- authentication.conf --
constantLoginTime = 0.000
enablePasswordHistory = 1
expireAlertDays = 15
expirePasswordDays = 90
expireUserAccounts = 1
forceWeakPasswordChange = 1
lockoutAttempts = 5
lockoutMins = 30
lockoutThresholdMins = 5
lockoutUsers = 1
minPasswordDigit = 0
minPasswordLength = 8
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordUppercase = 0
passwordHistoryCount = 24
verboseLoginFailMsg = 1
If users miss passwords more than five times, their accounts are locked.
However, if an account with the role admin has a password that is incorrect more than 10 times, the account will not be locked.
If an account with the admin role also fails to log in more than 5 times, how do I lock my account?
Are any of your users LDAP/SSO, or are they all using local Splunk authentication?
My understanding is that any local Splunk account will lock after 5 failed attempts (and will lock for 30 mins) even if that user has the admin role.
However that will not apply if the user is LDAP/SSO auth'd - then it is down to your LDAP/SSO environment to lock the account, not Splunk.
Splunk's password policy does not lockout to the admin role by default.
To do this, add the following settings to the authorize.conf file.
$ SPLUNKHOME / system / local / authorize.conf
never_lockout = disabled