It's not possible to use a field before it exists.  You can reformat the query like this:

index=rapid7 sourcetype=rapid7:nexpose:vuln (vulnerability_cvss3_score>6.9 AND vulnerability_cvss3_score<=8.9)
| eval p_date=strptime(vulnerability_date_published, "%Y-%m-%d")
| eval t_date=now()
| eval vuln_age= round((t_date - p_date)/86400)
| eval ratings=case(vulnerability_cvss3_score>0 AND vulnerability_cvss3_score<=3.9, "Low",vulnerability_cvss3_score>3.9 AND vulnerability_cvss3_score<=6.9, "Medium", vulnerability_cvss3_score>6.9 AND vulnerability_cvss3_score<=8.9, "High", vulnerability_cvss3_score > 8.9, "Critical")

or use a macro like this:

index=rapid7 sourcetype=rapid7:nexpose:vuln `high_cvss`
| eval p_date=strptime(vulnerability_date_published, "%Y-%m-%d")
| eval t_date=now()
| eval vuln_age= round((t_date - p_date)/86400)
| eval ratings=case(vulnerability_cvss3_score>0 AND vulnerability_cvss3_score<=3.9, "Low",vulnerability_cvss3_score>3.9 AND vulnerability_cvss3_score<=6.9, "Medium", `high_cvss`, "High", vulnerability_cvss3_score > 8.9, "Critical")

where the macro high_cvss is defined as "(vulnerability_cvss3_score>6.9 AND vulnerability_cvss3_score<=8.9)".

Hi

maybe this is what you are looking for: https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/definecalcfields

r. Ismo