Splunk Search

What is the difference between == and = in SPL ?

HeinzWaescher
Motivator

Hi,

I've seen it several times but don't know the difference and when to use == instead of = .
Like in these samples from the docs:

  1. | eval description=case(status == 200, "OK", status ==404, "Not found", status == 500, "Internal Server Error")

  2. | eval action=if(action=="view",...)

Thanks in advance

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The == operator means "is equal to". The = operator means either "is equal to" or "is assigned to" depending on the context.
Either operator can be used to compare two fields/values with == more clearly indicating a comparison rather than an assignment.
Use = to assign a value to a field.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The == operator means "is equal to". The = operator means either "is equal to" or "is assigned to" depending on the context.
Either operator can be used to compare two fields/values with == more clearly indicating a comparison rather than an assignment.
Use = to assign a value to a field.

---
If this reply helps you, Karma would be appreciated.

HeinzWaescher
Motivator

Thanks a lot. I never used == and never ran into problems, that's why I was wondering.
So in the end it is more a cosmetical thing to use ==.

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...