我有许多如下所示的 XML 文件,我想用新字符串替换其中的字符串。我似乎无法让 sed 命令在 xml 文件上工作。
<form version="1.1" theme="dark">
<label>Forcepoint DLP Dashboard - LongTerm</label>
<description>Activity for those with Long-Term Exceptions</description>
<fieldset submitButton="false" autoRun="false">
<input type="time" token="TimeFrame" searchWhenChanged="true">
<label>Timeframe</label>
<default>
<earliest>-48h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<html>
<p>Macros In Use:</p>
<p>`ForcepointApprovedUSB` = Known Approved USB Devices</p>
<p>`ForcepointKnownCDDVD` = Known CD/DVD Drives</p>
<p>`ForcepointKnownMultiFunction` = Known Multi-Function Devices</p>
</html>
</panel>
</row>
<row>
<panel>
<title>Exception Info</title>
<table>
<search>
<query>index=restricted_security
sourcetype=forcepoint
| rex field=_raw "(.*act=(?<Action>.*?)\s.*)"
| rex field=_raw "(.*duser=(?<Device>.*?)(:\s\d|;|\sfname=).*)"
| rex field=_raw "(.*duser=.*?;\s(?<Serial>.*?)\sfname=)"
| rex field=_raw "(.*fname=(?<Filename>.*?)\smsg=.*)"
| rex field=_raw "(.*fname=.:\\\(?<RawFilename>.*)(?:\s-\s.*)\smsg=.*)"
| rex field=_raw "(.*suser=(?<Name>.*)\scat=.*)"
| rex field=_raw "(.*loginName=.*\\\\(?<Username>.*)\ssourceIp=.*)"
| rex field=_raw "(.*sourceIp=(?<IP>.*)\sseverityType=.*)"
| rex field=_raw "(.*sourceHost=(?<Source>.*)\sproductVersion=.*)"
| rex field=_raw "(.*sourceServiceName=(?<AlertType>.*)\sanalyzedBy=.*)"
| eval Username=lower(Username)
| eval Action=if(isnull(Action),"-",Action)
| eval Serial=if(isnull(Serial),"-",Serial)
| eval EnumDeviceType=case(
(`ForcepointApprovedUSB`),"ApprovedUSB",
(`ForcepointKnownCDDVD`),"CDDVD",
(`ForcepointKnownMultiFunction`),"MultiFunction",
AlertType="Endpoint Applications" AND Device="Bluetooth","Bluetooth",
AlertType="Endpoint Removable Media" AND Device="Windows Portable Device (WPD)","WPD",
AlertType="Endpoint Removable Media" AND
Device!="Windows Portable Device (WPD)" AND NOT
(`ForcepointApprovedUSB`) AND NOT
(`ForcepointKnownCDDVD`) AND NOT
(`ForcepointKnownMultiFunction`),"UnApprovedUSB")
| join type=inner Username
[
search
index=restricted_security
sourcetype=dlp_lt
| rename UserID as Username
| eval Check = "Yes"
| fields Username,Check,Justification,Type,ExpireDate
]
| where isnotnull(EnumDeviceType) AND Check="Yes"
| eval Time=strftime(_time, "%B %d, %Y %H:%M %Z")
| dedup Username
| table Time Username Name Justification Type ExpireDate
| sort Name</query>
<earliest>$TimeFrame.earliest$</earliest>
<latest>$TimeFrame.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Transfers By Those With Long-Term Exceptions</title>
<table>
<search>
<query>index=restricted_security
sourcetype=forcepoint
| rex field=_raw "(.*act=(?<Action>.*?)\s.*)"
| rex field=_raw "(.*duser=(?<Device>.*?)(:\s\d|;|\sfname=).*)"
| rex field=_raw "(.*duser=.*?;\s(?<Serial>.*?)\sfname=)"
| rex field=_raw "(.*fname=(?<Filename>.*?)\smsg=.*)"
| rex field=_raw "(.*fname=.:\\\(?<RawFilename>.*)(?:\s-\s.*)\smsg=.*)"
| rex field=_raw "(.*suser=(?<Name>.*)\scat=.*)"
| rex field=_raw "(.*loginName=.*\\\\(?<Username>.*)\ssourceIp=.*)"
| rex field=_raw "(.*sourceIp=(?<IP>.*)\sseverityType=.*)"
| rex field=_raw "(.*sourceHost=(?<Source>.*)\sproductVersion=.*)"
| rex field=_raw "(.*sourceServiceName=(?<AlertType>.*)\sanalyzedBy=.*)"
| eval Username=lower(Username)
| eval Action=if(isnull(Action),"-",Action)
| eval Serial=if(isnull(Serial),"-",Serial)
| eval EnumDeviceType=case(
(`ForcepointApprovedUSB`),"ApprovedUSB",
(`ForcepointKnownCDDVD`),"CDDVD",
(`ForcepointKnownMultiFunction`),"MultiFunction",
AlertType="Endpoint Applications" AND Device="Bluetooth","Bluetooth",
AlertType="Endpoint Removable Media" AND Device="Windows Portable Device (WPD)","WPD",
AlertType="Endpoint Removable Media" AND
Device!="Windows Portable Device (WPD)" AND NOT
(`ForcepointApprovedUSB`) AND NOT
(`ForcepointKnownCDDVD`) AND NOT
(`ForcepointKnownMultiFunction`),"UnApprovedUSB")
| join type=inner Username
[
search
index=restricted_emn_security
sourcetype=dlp_lt
| rename UserID as Username
| eval Check = "Yes"
| dedup Username
| fields Username, Check
]
| where isnotnull(EnumDeviceType) AND Check="Yes"
| eval Time=strftime(_time, "%B %d, %Y %H:%M %Z")
| table Time Username Name Action Source Filename Device Serial EnumDeviceType
| sort -Time</query>
<earliest>$TimeFrame.earliest$</earliest>
<latest>$TimeFrame.latest$</latest>
</search>
<option name="count">30</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
我想要替换的模式是
index=restricted_security sourcetype=forcepoint
和
index=newname
sourcetype=forcepoint
因此任何模式
index=restricted_security
sourcetype=forcepoint
应被新值替换。
XML 文件有很多组合,例如
index=restricted_security
sourcetype=someother value, index=someindex sourcetype=forcepoint
等等,但它们不需要被替换。
我已经尝试了像下面这样的许多模式和许多 sed 的组合,但似乎不起作用
sed 's/index=restricted_security\s\nsourcetype=forcepoint/index=restricted_security sourcetype=forcepoint/g'
有人能指出如何替换它吗?
使用Python 的
lxml:该脚本就地编辑该文件。
用作
xmlstarletshell 命令,在此实用程序的 2 次调用中:如果您需要就地编辑,则可以添加
-L开关。xmlstarlet ed如果需要,您甚至可以
/tmp/temp.txt使用以下命令编辑文件sed:(这不是
XML第一次执行后的文本xmlstarlet)使用 GNU sed 表示
-z、、空格简写以及单词边界和-E:\s\<\>或者如果你想要将两个字符串连接成一行(从你的问题中看不清楚):