https://community.splunk.com/t5/Splunk-Enterprise/props-conf-not-showing-the-output-using-EVAL/m-p/755731#M23498 <P class=""><A href="https://help.splunk.com/en/splunk-enterprise/manage-knowledge-objects/knowledge-management-manual/9.4/get-started-with-knowledge-objects/the-sequence-of-search-time-operations#ariaid-title9" target="_blank" rel="noopener">https://help.splunk.com/en/splunk-enterprise/manage-knowledge-objects/knowledge-management-manual/9.4/get-started-with-knowledge-objects/the-sequence-of-search-time-operations#ariaid-title9</A>&nbsp;</P><H3 id="restrictions-5">Restrictions</H3><P class="">All EVAL-&lt;fieldname&gt; configurations within a single props.conf stanza are processed in parallel instead of sequentially. This means you can't chain together calculated field expressions where the evaluation of one calculated field is used in the expression for the next calculated field.</P> Thu, 20 Nov 2025 19:10:07 GMT PickleRick 2025-11-20T19:10:07Z https://community.splunk.com/t5/Splunk-Enterprise/props-conf-not-showing-the-output-using-EVAL/m-p/755700#M23495 <P>Below is props.conf for a sourcetype, where we getting results for raw_action and tag1 fields.</P><P>But considering/based upon the inputs received from raw_action and tag1 while we try to get the result for the field "action" receiving BLANK results.</P><P>Kindly someone help</P><LI-CODE lang="markup">EXTRACT-raw_action = (?&lt;raw_action&gt;Failed|Stopped|Deactivated|Login failed|USER_LOGGED_OUT|Logged out|Accepted|Log ged in|USER_LOGGED_IN|dnf-makecache.service: Succeeded|TASK_FINISHED|modified|acl_modified|Succeeded|success=yes|Link is Up|repaired|allowed|receive) EVAL-tag1 = case(match(raw_action,"(?i)\b(Failed|Stopped|Deactivated|Login failed|USER_LOGGED_OUT|Logged out)\b"),"authentication", match(raw_action,"(?i)\b(Accepted|Logged in|USER_LOGGED_IN)\b"),"authentication", match(raw_action,"(?i)\b(dnf-makecache.service: Succeeded)\b"),"change", match(raw_action,"(?i)\b(TASK_FINISHED|modified|acl_modified|Succeeded)\b"),"change", match(raw_action,"(?i)\b(success=yes|Link is Up|repaired|allowed|receive)\b"),"network") EVAL-action = case(tag1=="authentication" AND match(raw_action,"(?i)(Failed|Stopped|Deactivated|Login failed|USER_LOGGED_OUT|Logged out)"),"failure", tag1=="authentication" AND match(raw_action,"(?i)(Accepted|Logged in|USER_LOGGED_IN)"),"success", tag1=="change" AND match(raw_action,"(?i)(dnf-makecache.service:Succeeded)"),"modified", tag1=="change" AND match(raw_action,"(?i)(TASK_FINISHED|modified|acl_modified|Succeeded)"),"modified", tag1=="network" AND match(raw_action,"(?i)(success=yes|Link is Up|repaired|allowed|receive)"),"allowed")</LI-CODE> Thu, 20 Nov 2025 21:17:27 GMT https://community.splunk.com/t5/Splunk-Enterprise/props-conf-not-showing-the-output-using-EVAL/m-p/755700#M23495 sureshkumaar 2025-11-20T21:17:27Z https://community.splunk.com/t5/Splunk-Enterprise/props-conf-not-showing-the-output-using-EVAL/m-p/755707#M23497 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206567">@sureshkumaar</a>&nbsp;</P><P>You cannot reference a field generated by an EVAL statement (like tag1) inside another EVAL statement (like action) within the same props.conf stanza. All EVAL statements in a stanza run effectively in parallel based on the extracted fields, not sequentially based on each other's output.</P><DIV class="">&nbsp;</DIV><P>To fix this, remove the dependency on tag1 inside EVAL-action and rely solely on raw_action. Since raw_action is extracted via EXTRACT (which runs before EVAL), it is available for use. (See&nbsp;<A href="https://help.splunk.com/en/splunk-enterprise/manage-knowledge-objects/knowledge-management-manual/10.0/get-started-with-knowledge-objects/the-sequence-of-search-time-operations" target="_blank" rel="noopener">https://help.splunk.com/en/splunk-enterprise/manage-knowledge-objects/knowledge-management-manual/10.0/get-started-with-knowledge-objects/the-sequence-of-search-time-operations</A>)&nbsp;</P><DIV class="">&nbsp;</DIV><P>Additionally, there is a typo in your original EVAL-action regex: dnf-makecache.service:Succeeded is missing the space that exists in EVAL-tag1 (dnf-makecache.service: Succeeded).</P><P><SPAN class="">Try this:</SPAN></P><DIV><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class="">&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV></DIV><LI-CODE lang="markup">EXTRACT-raw_action = (?&lt;raw_action&gt;Failed|Stopped|Deactivated|Login failed|USER_LOGGED_OUT|Logged out|Accepted|Log\s*ged in|USER_LOGGED_IN|dnf-makecache.service: Succeeded|TASK_FINISHED|modified|acl_modified|Succeeded|success=yes|Link is Up|repaired|allowed|receive) EVAL-tag1 = case(match(raw_action,"(?i)\b(Failed|Stopped|Deactivated|Login failed|USER_LOGGED_OUT|Logged out)\b"),"authentication", match(raw_action,"(?i)\b(Accepted|Logged in|USER_LOGGED_IN)\b"),"authentication", match(raw_action,"(?i)\b(dnf-makecache.service: Succeeded)\b"),"change", match(raw_action,"(?i)\b(TASK_FINISHED|modified|acl_modified|Succeeded)\b"),"change", match(raw_action,"(?i)\b(success=yes|Link is Up|repaired|allowed|receive)\b"),"network") EVAL-action = case(match(raw_action,"(?i)(Failed|Stopped|Deactivated|Login failed|USER_LOGGED_OUT|Logged out)"),"failure", match(raw_action,"(?i)(Accepted|Logged in|USER_LOGGED_IN)"),"success", match(raw_action,"(?i)(dnf-makecache.service: Succeeded)"),"modified", match(raw_action,"(?i)(TASK_FINISHED|modified|acl_modified|Succeeded)"),"modified", match(raw_action,"(?i)(success=yes|Link is Up|repaired|allowed|receive)"),"allowed")</LI-CODE><DIV class=""><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P></DIV><DIV class="">&nbsp;</DIV> Thu, 20 Nov 2025 10:21:32 GMT https://community.splunk.com/t5/Splunk-Enterprise/props-conf-not-showing-the-output-using-EVAL/m-p/755707#M23497 livehybrid 2025-11-20T10:21:32Z https://community.splunk.com/t5/Splunk-Enterprise/props-conf-not-showing-the-output-using-EVAL/m-p/755731#M23498 <P class=""><A href="https://help.splunk.com/en/splunk-enterprise/manage-knowledge-objects/knowledge-management-manual/9.4/get-started-with-knowledge-objects/the-sequence-of-search-time-operations#ariaid-title9" target="_blank" rel="noopener">https://help.splunk.com/en/splunk-enterprise/manage-knowledge-objects/knowledge-management-manual/9.4/get-started-with-knowledge-objects/the-sequence-of-search-time-operations#ariaid-title9</A>&nbsp;</P><H3 id="restrictions-5">Restrictions</H3><P class="">All EVAL-&lt;fieldname&gt; configurations within a single props.conf stanza are processed in parallel instead of sequentially. This means you can't chain together calculated field expressions where the evaluation of one calculated field is used in the expression for the next calculated field.</P> Thu, 20 Nov 2025 19:10:07 GMT https://community.splunk.com/t5/Splunk-Enterprise/props-conf-not-showing-the-output-using-EVAL/m-p/755731#M23498 PickleRick 2025-11-20T19:10:07Z