Try this:
| eval aaa=case(
action=="opened","success",
action=="closed","success",
action=="succeeded","success",
action=="failed","failure",
action=="Accepted","success",
action=="Invalid","failure",
match(_raw, "(?i)error trying to bind as user"),"failure",
action=="new user","created",
action=="new group","created",
action=="add" AND app=="usermod","modified",
action=="removed" AND app="gpasswd","modified",
app=="usermodd" AND action=="change","modified",
app=="usermod" AND action=="lock","modified",
match(_raw, "(?i)setting system clock"),"success",
action=="clock_sync","success",
app=="chage" and action=="changed","modified",
app=="aide" AND action="created","added",
app=="aide" AND action=="changed","modified",
app=="aide" AND action=="removed","deleted",
app=="ip route" AND action=="add","added",
match(_raw, "(?i)changed password expiry"),"modified",
match(_raw, "(?i)ip route add"),"added",
match(_raw, "(?i)ip route del"),"deleted",
match(_raw, "(?i)ip route replace"),"modified",
useradd_action=="new user" OR useradd_action=="new group","added",
action=="Up" OR action=="up","modified",
action=="Down" OR action=="down","modified")
... View more