As per the documentation you need to have the (?) when using Oracle, as I understand it that is for the OUT REFCURSOR, if I take it out I get an error. Plus when there is no data to return I get this from Splunk so it works with (?) Which matches what I see when the SQL run directly from the server The problem seems to be when there is data to be returned but I am not sure what the issue is.  ... View more

Hi @VatsalJagani , Sorry for the delay in coming back to you on this to you. I have read this documentation and got the procedure to only return one OUT REFCURSOR. I don't need to pass in anything so there is no need pass params. create or replace PROCEDURE GET_SOME_LOG_MONITORING (po_error_log_details_01 out SYS_REFCURSOR ) AS......... I can now successfully call the procedure using the below however I get no data returned from the SYS_REFCURSOR | dbxquery connection="SOME-CONNECTION"  procedure="{call ISOMESCHEMA.GET_SOME_LOG_MONITORING(?)}" However when I get a DBA to log into the database directly on the server with the same user that Splunk is using to execute the PROCEDURE they get the following results returned. TIMESTAMP --------------------------------------------------------------------------- CORRELATION -------------------------------------------------------------------------------- TO_CHAR(MSGXML) -------------------------------------------------------------------------------- 25-OCT-23 11.33.40.968589 AM a2306D43d6606aa67f8jgrg21 {"errors":[{"code":"500.12.004","description":"ProviderServiceFailure"}]} 25-OCT-23 11.33.44.569205 AM a2306D43d6606aa67f8jgrg21 {"errors":[{"code":"500.12.004","description":"ProviderServiceFailure"}]} TIMESTAMP --------------------------------------------------------------------------- CORRELATION -------------------------------------------------------------------------------- TO_CHAR(MSGXML) -------------------------------------------------------------------------------- 25-OCT-23 11.33.47.144192 AM a2306D43d6606aa67f8jgrg21 {"errors":[{"code":"500.12.004","description":"ProviderServiceFailure"}]} 25-OCT-23 11.33.49.823233 AM a2306D43d6606aa67f8jgrg21 TIMESTAMP --------------------------------------------------------------------------- CORRELATION -------------------------------------------------------------------------------- TO_CHAR(MSGXML) -------------------------------------------------------------------------------- {"errors":[{"code":"500.12.004","description":"ProviderServiceFailure"}]} 25-OCT-23 11.33.51.383443 AM a2306D43d6606aa67f8jgrg21 {"errors":[{"code":"500.12.004","description":"ProviderServiceFailure"}]} 25-OCT-23 11.33.52.708949 AM Splunk has the all the permissions to successfully run the PROCEDURE as proved by this being run directly on the server and data is being returned but when I execute this from the Splunk nothing is returned.  ... View more

Hi @yuanliu thanks, this example is much more straight forward. I have used that as guide and changed my code to meet my needs and this seems to work well now   index=myindex source=mysource sourcetype=mysourcetype FailureReason IN ("*Error1*", "*Error2*", "*Error3*") earliest=-60m | eventstats count sum(eval(if(_time > relative_time(now(), "-30m"), 1, 0))) as current_30m ```Get current``` | eventstats count sum(eval(if(_time < relative_time(now(), "-30m"), 1, 0))) as previous_30m ```Get previous``` | eval show_detail = if(round(((current_30m-previous_30m)/previous_30m),4)>0.1, "True", null()) ```Get percentage change compared to previous 30 mins``` | where isnotnull(show_detail) AND _time > relative_time(now(), "-30m") | table ReqReceivedTimestamp, APIName, ReqUrl, ShopName, ResponseCode, FailureReason, FailureServiceCalloutResponse     ... View more