Splunk Search

How to Calculate Splunk User Password Age

marcus_santos_s
Path Finder

Greetings,

I use Splunk local authentication mode and have enabled password policy. I want to calculate the password age of all users to improve my user management, but I haven't found any REST API searches or endpoints that provide this information.

Does anyone know how I get this information?

0 Karma
1 Solution

kiamco
Path Finder

this is what I use

| rest /services/authentication/users splunk_server=local
| fields title, roles, email
| rename title as user
| search
| join max=2 usetime=true type=left user
    [search index=_audit action="password change" info="succeeded"
     | stats latest(timestamp) as change_timestamp by user
     | fields + change_timestamp user
    ]
|eval change_timestamp = if(isnull(change_timestamp),"never",change_timestamp )
| eval display_roles=mvjoin(roles, ", ")
| eval password_days=trunc((now() - strptime(change_timestamp, "%m-%d-%Y %H:%M:%S.%Q"))/84600)
| sort - password_days
| table user, email, change_timestamp, password_days, display_roles

View solution in original post

kiamco
Path Finder

this is what I use

| rest /services/authentication/users splunk_server=local
| fields title, roles, email
| rename title as user
| search
| join max=2 usetime=true type=left user
    [search index=_audit action="password change" info="succeeded"
     | stats latest(timestamp) as change_timestamp by user
     | fields + change_timestamp user
    ]
|eval change_timestamp = if(isnull(change_timestamp),"never",change_timestamp )
| eval display_roles=mvjoin(roles, ", ")
| eval password_days=trunc((now() - strptime(change_timestamp, "%m-%d-%Y %H:%M:%S.%Q"))/84600)
| sort - password_days
| table user, email, change_timestamp, password_days, display_roles

marcus_santos_s
Path Finder

Hi Kiamco,

Is It!!! Tkx.

0 Karma

kiamco
Path Finder

no problemo, happy to help 😄

0 Karma

adonio
Ultra Champion

try to create a user, then give the user a password, then login as that user, then change the password
sign out and login as an admin.
search: index=_audit "action=password change" and keep on going from there

hope it helps

0 Karma

marcus_santos_s
Path Finder

Hi Adonio,

Tkx for help.

0 Karma
Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...