Tenho muitos arquivos XML como abaixo, onde gostaria de substituir uma string por uma nova string. Não consigo fazer o comando sed funcionar nos arquivos XML.
<form version="1.1" theme="dark">
<label>Forcepoint DLP Dashboard - LongTerm</label>
<description>Activity for those with Long-Term Exceptions</description>
<fieldset submitButton="false" autoRun="false">
<input type="time" token="TimeFrame" searchWhenChanged="true">
<label>Timeframe</label>
<default>
<earliest>-48h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<html>
<p>Macros In Use:</p>
<p>`ForcepointApprovedUSB` = Known Approved USB Devices</p>
<p>`ForcepointKnownCDDVD` = Known CD/DVD Drives</p>
<p>`ForcepointKnownMultiFunction` = Known Multi-Function Devices</p>
</html>
</panel>
</row>
<row>
<panel>
<title>Exception Info</title>
<table>
<search>
<query>index=restricted_security
sourcetype=forcepoint
| rex field=_raw "(.*act=(?<Action>.*?)\s.*)"
| rex field=_raw "(.*duser=(?<Device>.*?)(:\s\d|;|\sfname=).*)"
| rex field=_raw "(.*duser=.*?;\s(?<Serial>.*?)\sfname=)"
| rex field=_raw "(.*fname=(?<Filename>.*?)\smsg=.*)"
| rex field=_raw "(.*fname=.:\\\(?<RawFilename>.*)(?:\s-\s.*)\smsg=.*)"
| rex field=_raw "(.*suser=(?<Name>.*)\scat=.*)"
| rex field=_raw "(.*loginName=.*\\\\(?<Username>.*)\ssourceIp=.*)"
| rex field=_raw "(.*sourceIp=(?<IP>.*)\sseverityType=.*)"
| rex field=_raw "(.*sourceHost=(?<Source>.*)\sproductVersion=.*)"
| rex field=_raw "(.*sourceServiceName=(?<AlertType>.*)\sanalyzedBy=.*)"
| eval Username=lower(Username)
| eval Action=if(isnull(Action),"-",Action)
| eval Serial=if(isnull(Serial),"-",Serial)
| eval EnumDeviceType=case(
(`ForcepointApprovedUSB`),"ApprovedUSB",
(`ForcepointKnownCDDVD`),"CDDVD",
(`ForcepointKnownMultiFunction`),"MultiFunction",
AlertType="Endpoint Applications" AND Device="Bluetooth","Bluetooth",
AlertType="Endpoint Removable Media" AND Device="Windows Portable Device (WPD)","WPD",
AlertType="Endpoint Removable Media" AND
Device!="Windows Portable Device (WPD)" AND NOT
(`ForcepointApprovedUSB`) AND NOT
(`ForcepointKnownCDDVD`) AND NOT
(`ForcepointKnownMultiFunction`),"UnApprovedUSB")
| join type=inner Username
[
search
index=restricted_security
sourcetype=dlp_lt
| rename UserID as Username
| eval Check = "Yes"
| fields Username,Check,Justification,Type,ExpireDate
]
| where isnotnull(EnumDeviceType) AND Check="Yes"
| eval Time=strftime(_time, "%B %d, %Y %H:%M %Z")
| dedup Username
| table Time Username Name Justification Type ExpireDate
| sort Name</query>
<earliest>$TimeFrame.earliest$</earliest>
<latest>$TimeFrame.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Transfers By Those With Long-Term Exceptions</title>
<table>
<search>
<query>index=restricted_security
sourcetype=forcepoint
| rex field=_raw "(.*act=(?<Action>.*?)\s.*)"
| rex field=_raw "(.*duser=(?<Device>.*?)(:\s\d|;|\sfname=).*)"
| rex field=_raw "(.*duser=.*?;\s(?<Serial>.*?)\sfname=)"
| rex field=_raw "(.*fname=(?<Filename>.*?)\smsg=.*)"
| rex field=_raw "(.*fname=.:\\\(?<RawFilename>.*)(?:\s-\s.*)\smsg=.*)"
| rex field=_raw "(.*suser=(?<Name>.*)\scat=.*)"
| rex field=_raw "(.*loginName=.*\\\\(?<Username>.*)\ssourceIp=.*)"
| rex field=_raw "(.*sourceIp=(?<IP>.*)\sseverityType=.*)"
| rex field=_raw "(.*sourceHost=(?<Source>.*)\sproductVersion=.*)"
| rex field=_raw "(.*sourceServiceName=(?<AlertType>.*)\sanalyzedBy=.*)"
| eval Username=lower(Username)
| eval Action=if(isnull(Action),"-",Action)
| eval Serial=if(isnull(Serial),"-",Serial)
| eval EnumDeviceType=case(
(`ForcepointApprovedUSB`),"ApprovedUSB",
(`ForcepointKnownCDDVD`),"CDDVD",
(`ForcepointKnownMultiFunction`),"MultiFunction",
AlertType="Endpoint Applications" AND Device="Bluetooth","Bluetooth",
AlertType="Endpoint Removable Media" AND Device="Windows Portable Device (WPD)","WPD",
AlertType="Endpoint Removable Media" AND
Device!="Windows Portable Device (WPD)" AND NOT
(`ForcepointApprovedUSB`) AND NOT
(`ForcepointKnownCDDVD`) AND NOT
(`ForcepointKnownMultiFunction`),"UnApprovedUSB")
| join type=inner Username
[
search
index=restricted_emn_security
sourcetype=dlp_lt
| rename UserID as Username
| eval Check = "Yes"
| dedup Username
| fields Username, Check
]
| where isnotnull(EnumDeviceType) AND Check="Yes"
| eval Time=strftime(_time, "%B %d, %Y %H:%M %Z")
| table Time Username Name Action Source Filename Device Serial EnumDeviceType
| sort -Time</query>
<earliest>$TimeFrame.earliest$</earliest>
<latest>$TimeFrame.latest$</latest>
</search>
<option name="count">30</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
O padrão que eu gostaria de substituir é
index=restricted_security sourcetype=forcepoint
com
index=newname
sourcetype=forcepoint
Então qualquer padrão onde
index=restricted_security
sourcetype=forcepoint
deve ser substituído pelo novo valor.
Os arquivos XML têm muitas combinações como
index=restricted_security
sourcetype=someother value, index=someindex sourcetype=forcepoint
etc, mas não precisam ser substituídos.
Eu tentei muitos padrões como abaixo com muitas combinações de sed, mas não parece funcionar
sed 's/index=restricted_security\s\nsourcetype=forcepoint/index=restricted_security sourcetype=forcepoint/g'
Alguém pode me dizer como fazer para substituir isso?
Usando Python
lxml:O script edita o arquivo no local .
Usando
xmlstarletcomo comandos shell, em 2 chamadas deste utilitário:Você pode adicionar o
-Lswitchxmlstarlet edse precisar editar no local .Você pode até editar o
/tmp/temp.txtarquivo,sedse necessário:(isso não é
XMLnada além de texto após a primeira execução dexmlstarlet)Usando GNU sed para
-z,-E,\sabreviação para espaço e limites de palavras\<e\>:ou se você quisesse as 2 strings concatenadas em uma única linha (não está claro na sua pergunta):