This analytic detects potential exposure of authentication tokens within Splunk's own debug logs (splunkd). It targets the splunkd component logged at DEBUG level, searching for event messages that indicate token validation and then extracts the token value using a regex. Specifically, it looks for event messages matching Validating token:* and captures the token via a Rex capture group. When a token is found, the rule aggregates findings by index, sourcetype, host, and token, recording the earliest and latest exposure times, the log level, and the associated event message for context. The purpose is to identify cases where sensitive credentials may be written to logs, which could be exploited by an attacker to gain unauthorized access to the Splunk environment. The rule aligns with the Splunk advisory and MITRE technique T1654 (Credentials in Web Services) and is associated with CVE-2024-29945. If confirmed, token exposure can lead to unauthorized data access, privilege escalation, and potential compromise of the Splunk deployment. Remediation involves securing or removing DEBUG logging on production systems, rotating or revoking exposed tokens, and applying relevant Splunk patches. The rule references a known advisory and includes drill-downs for host-specific investigations and risk context over the last 7 days. The detection is implemented via access to internal Splunk indexes and uses a dedicated detection filter as defined in the Splunk Content Security controls.