I have the following eval statement:

| eval aaa=case(
    action=="opened","success",
    action=="closed","success",
    action=="succeeded","success",
    action=="failed","failure",
    action=="Accepted","success",
    action=="Invalid","failure",
    searchmatch("error trying to bind as user"),"failure",
    action=="new user","created",
    action=="new group","created",
    action=="add" AND app=="usermod","modified",
    action=="removed" AND app="gpasswd","modified",
    app=="usermodd" AND action=="change","modified",
    app=="usermod" AND action=="lock","modified",
    searchmatch("setting system clock"),"success",
    action=="clock_sync","success",
    app=="chage" and action=="changed","modified",
    app=="aide" AND action="created","added",
    app=="aide" AND action=="changed","modified",
    app=="aide" AND action=="removed","deleted",
    app=="ip route" AND action=="add","added",
    searchmatch("changed password expiry"),"modified",
    searchmatch("ip route add"),"added",
    searchmatch("ip route del"),"deleted",
    searchmatch("ip route replace"),"modified",
    useradd_action=="new user" OR useradd_action=="new group","added",
    action=="Up" OR action=="up","modified",
    action=="Down" OR action=="down","modified")

If I use that statement in the search pipeline, it works. If I define it in an EVAL- statement in props.conf, it breaks completely. If I remove the searchmatch() statements, it works.

Is searchmatch() not supported in props.conf? If not, is there a workaround? I tried things like: _raw=="*my text*" and that didn't work either.

I understand searchmatch() is an alias for the match() statement. I tried using match() as well and that doesn't work either.

Any ideas?