All your multi-select search is doing (assuming it is based on your base search) is giving you the names of the fields you have described in your base search (Pat, Con and Cov), so why not just hard code them in your multi-select? If you want to continue using the base search, your multi-select search could be simplified to | fields - Category | untable _time Reason CurationValue | table Reason | dedup Reason Having said that, it is still not clear what is not working for you. Do you need something like this? | search Reason IN ($t_reason$)

@MikeyD100 - In your query you have (?) question mark which DB connect understands as param replacement. I don't know if that is intended. If not please try updating the query accordingly.   I hope that helps!!!

 I have my base search and Pat, Con and Cov are individual columns. I want those to be the values for my multi-value select. So in my mulit-value select I un-table those columns into rows with the column being Reason.    | table _time, Pat, Con, Cov, Category  

You can't fill anything in because you don't differentiate between the login and logout events. The first bar is not necessarily a login followed by a logout, as your first event may be a logout then a login then another logout. You would need to make your search determine that 4624 is a start login event and the 4634 the logout or end event, rather than just doing a dc(user) which will always be 1. I suggest you look at a couple of apps instead of timechart that are designed for this https://splunkbase.splunk.com/app/4370 https://splunkbase.splunk.com/app/3120  

What's the definition of your multiselect input - you've only listed the search. You are using Reason $t_reason$ in your search - but in your chart search, which if it's coming from base search, there is no reason field, so you cannot filter by reason Is t_category token coming from another input? If you are using a syntax  Reason $t_reason$ and your input is a multiselect, then it looks odd that you have "Reason" in the search - is that just searching the raw text for Reason or is that somehow part of a field called Reason?

Hi @VatsalJagani , Sorry for the delay in coming back to you on this to you. I have read this documentation and got the procedure to only return one OUT REFCURSOR. I don't need to pass in anything so there is no need pass params. create or replace PROCEDURE GET_SOME_LOG_MONITORING (po_error_log_details_01 out SYS_REFCURSOR ) AS......... I can now successfully call the procedure using the below however I get no data returned from the SYS_REFCURSOR | dbxquery connection="SOME-CONNECTION"  procedure="{call ISOMESCHEMA.GET_SOME_LOG_MONITORING(?)}" However when I get a DBA to log into the database directly on the server with the same user that Splunk is using to execute the PROCEDURE they get the following results returned. TIMESTAMP --------------------------------------------------------------------------- CORRELATION -------------------------------------------------------------------------------- TO_CHAR(MSGXML) -------------------------------------------------------------------------------- 25-OCT-23 11.33.40.968589 AM a2306D43d6606aa67f8jgrg21 {"errors":[{"code":"500.12.004","description":"ProviderServiceFailure"}]} 25-OCT-23 11.33.44.569205 AM a2306D43d6606aa67f8jgrg21 {"errors":[{"code":"500.12.004","description":"ProviderServiceFailure"}]} TIMESTAMP --------------------------------------------------------------------------- CORRELATION -------------------------------------------------------------------------------- TO_CHAR(MSGXML) -------------------------------------------------------------------------------- 25-OCT-23 11.33.47.144192 AM a2306D43d6606aa67f8jgrg21 {"errors":[{"code":"500.12.004","description":"ProviderServiceFailure"}]} 25-OCT-23 11.33.49.823233 AM a2306D43d6606aa67f8jgrg21 TIMESTAMP --------------------------------------------------------------------------- CORRELATION -------------------------------------------------------------------------------- TO_CHAR(MSGXML) -------------------------------------------------------------------------------- {"errors":[{"code":"500.12.004","description":"ProviderServiceFailure"}]} 25-OCT-23 11.33.51.383443 AM a2306D43d6606aa67f8jgrg21 {"errors":[{"code":"500.12.004","description":"ProviderServiceFailure"}]} 25-OCT-23 11.33.52.708949 AM Splunk has the all the permissions to successfully run the PROCEDURE as proved by this being run directly on the server and data is being returned but when I execute this from the Splunk nothing is returned. 

@danspav for some reason the comma is not removed from the token, so it becomes  form.multi=val1,&form.multi=val2 and therefore in the receiving dashboard, it gets the first multi value as val1,  not quite sure why that regex keeps the comma

Hi @satish ,   I also tried giving "charting.fieldColors"as below . Still there is no change in the pie chart. Please guide {     "type": "splunk.pie",     "title": " Result",     "dataSources": {         "primary": "ds_PlnRHbXf"     },     "options": {         "charting.fieldColors": {             "failed": "#FF0000",             "passed": "#008000"         }     },     "context": {},     "showProgressBar": false,     "showLastUpdated": false

Hi @satish , Even after providing the series colors as mentioned by you in the previous comment, i couldnot set/change the color in piechart . Could you please help on how to change the color of piechart. I want to provide 2 colors red for failed slice and green for pass slice.           "viz_HoWEnZsV": {             "type": "splunk.pie",             "title": "Result",             "dataSources": {                 "primary": "ds_PlnRHbXf"             }         },  "ds_PlnRHbXf": {             "type": "ds.search",             "options": {                 "query": " index = _internal | chart avg(bytes) over source",             },             "seriesColors": ["#61A84F","#FFBF00", "#FF0000"],             "name": "Search_1"   Thanks,