Detects exposure of sensitive information via DEBUG logging in Splunk environments by scanning the internal index for splunkd events where log_level=DEBUG and components such as REST_Calls, AdminManager, or JSONWebToken may contain secrets like keys or tokens. The rule aggregates counts and time bounds per host, splunk_server, log_level, component, and event_message, then applies timestamp normalization macros. It relies on access to the _internal index and is intended to surface instances where verbose DEBUG logging configuration enables leakage of sensitive data. The implementation notes that there will be false positives since not every DEBUG message contains secrets, and suggests inventorying and restricting DEBUG logging for specific apps. References to Splunk advisories and related CVEs are included, and the rule targets Splunk Enterprise, Splunk Enterprise Security, and Splunk Cloud deployments.